Opened 9 years ago
Closed 7 years ago
#12630 closed defect (fixed)
Change in #7594 disables editing a blog post by the author
Reported by: | Owned by: | Ryan J Ollos | |
---|---|---|---|
Priority: | normal | Component: | FullBlogPlugin |
Severity: | blocker | Keywords: | |
Cc: | massimo.b@… | Trac Release: | 1.0 |
Description
The change made in r14773 (#7594) causes wrong permission checking in plug-in FullBlogPlugin.
Scenario:
- Updated to trac v1.0.9
- Updated FullBlogPlugin to v0.1.5
- A logged in user
foo
with Foo Test asFull name
in the preferences.
If the user now (now in the meaning of: after update to v0.1.5) adds a new blog post his full name (Foo Test) is set as value for author instead the user's id (foo
).
The user is no more able to edit his post, since the database table now contains the full name (Foo Test) as author and not the user's id (foo
). Permission checks fail.
I suggest:
- When adding a new post, the field author must contain the user id
- if possible I would like to have an option to disable changing the value of this field when adding a new post, otherwise one can post as a different user
- The column author in the database scheme must always contain a user id
- With the user id of the database it is easy to show the user's full name on all pages if one is set
Attachments (1)
Change History (10)
comment:1 Changed 9 years ago by
comment:2 Changed 9 years ago by
Sorry, that my reply took so long, I didn't get an information that there was a comment left here. Or I didn'et see it.
However, back to the ticket:
At first some background to the usage environment:
- A trac instance with LDAP authentication
-> User ids are fixed. Full names not necessarily (marriage, ...) TracFullBlogPlugin
used as a project blog, where blog posts are required to be modified only by its author.
Yes, it is correct that a user can create a post as a different user, but that is IMHO another request to extend the plugin to disable this (maybe via an option/setting).
Currently we "live" with this and tell the users to not modify the author
field.
To be honest: I do not really understand (I'm not a python !developer) what your proposed changes will change and if it fits our needs. As I see you add the attribute 'disabled' to the 'input'-tag with a value depending on some variables. This sets whether author can be changed or not. But does this change the value put into the author field?
Another suggestion from me:
Maybe it is possible without too much coding to add an option / setting in the admin section what kind of information is used as the default author for a blog post when it is created? Maybe three choices:
Empty
UserId
of current user's session (which is what we need)Full name
(it's OK, if this is the default setting to keep compatibility)
And in addition (if this is not too much work) an option whether changing the author field on creation/editing is allowed.
comment:3 Changed 8 years ago by
Additional issues with r14773 noted in comment:11:ticket:7594. I agree with points made in comment:description, and proposed some solutions in comment:11:ticket:7594. Eventually I'll probably generate a patch as this is causing problems on trac-hacks.org.
comment:5 Changed 8 years ago by
Cc: | massimo.b@… added |
---|
comment:6 Changed 7 years ago by
Owner: | changed from osimons to Ryan J Ollos |
---|---|
Status: | new → accepted |
comment:7 Changed 7 years ago by
I'm preparing a patch. I tried testing with Trac 0.11 per preference of osimons. r14886 is not compatible with Trac 0.11:
TemplateNotFound: Template "attach_file_form.html" not found
I absolutely do not care about Trac 0.11. The last commit to the Trac 0.11-stable branch was 7 years ago.
Since the fullblog branch is not compatible with Trac 0.11, I'll test with Trac 0.12. If the fullblog branch is made compatible with Trac 0.11 and that's needed to accept my patch, then I'll make my patch compatible with Trac 0.11.
Changed 7 years ago by
Attachment: | t12630.diff added |
---|
comment:8 Changed 7 years ago by
Proposed changes in t12630.diff:
- Anonymous users with session info will have a name like
User One <user1@gmail.com>
, as requested in #7594. - The authname is always stored in the database for authenticated users.
- Full names will be rendered with Trac 1.2 and later.
- User datetime format preferences are respected in Trac 1.0 and later.
Right. This problem arises with the
BLOG_MODIFY_OWN
permission check. Which of course is the same problem you get if you create/edit posts in a different name than your own.BLOG_MODIFY_ALL
permission can of course set and edit any posts.First, the suggestions in the ticket descriptions are good ideas but not so easy to complete. Trac does not store users as such, and doing lookup in the sessions of all users referenced in author categorization will be painful. A lot of code and extra processing. And username may of course be 'anonymous' that cannot be looked up later.
Also, the basic idea of author is really just a dimension of categorization. Inside a typical project it is no different than letting anyone post to a named category that by use should be reserved for a select few. This is not a heavy-duty blogging system, and in the spirit of Trac I would much rather have freedom and flexibility (permissions allowing).
I'm tempted to just require
BLOG_MODIFY_ALL
permission to set/edit the author field through web:tracfullblog/templates/fullblog_edit.html
Would that be OK?