Modify ↓
Opened 9 years ago
Closed 9 years ago
#12574 closed defect (fixed)
Permissions checking is incorrect
Reported by: | Ryan J Ollos | Owned by: | Rob Guttman |
---|---|---|---|
Priority: | normal | Component: | DynamicFieldsPlugin |
Severity: | normal | Keywords: | |
Cc: | Trac Release: |
Description
Permission checking appears to be incorrect due to improper placement of braces: dynamicfieldsplugin/trunk/dynfields/web_ui.py@14718:52-53#L43. Tests should be added to confirm, however it appears that at least the following change is needed:
-
dynfields/web_ui.py
49 49 if ((req.path_info.startswith('/ticket') and 50 50 (req.perm.has_permission('TICKET_VIEW') or 51 51 req.perm.has_permission('TICKET_MODIFY'))) 52 or (req.path_info.startswith('/newticket') )and53 req.perm.has_permission('TICKET_CREATE')) \52 or (req.path_info.startswith('/newticket') and 53 req.perm.has_permission('TICKET_CREATE')) 54 54 or (req.path_info.startswith('/query') and 55 req.perm.has_permission('REPORT_VIEW')) :55 req.perm.has_permission('REPORT_VIEW'))): 56 56 add_script_data(req, {'triggers': self._get_triggers(req)}) 57 57 add_script(req, 'dynfields/dynfields.js') 58 58 add_script(req, 'dynfields/rules.js')
Attachments (0)
Change History (3)
comment:1 Changed 9 years ago by
comment:2 Changed 9 years ago by
Maybe we can simplify the expression and just check for template is not None
. I expect that should work provided we just want to avoid adding the scripts in case of a PermissionError
.
Note: See
TracTickets for help on using
tickets.
In 15052: