Modify ↓
Opened 17 years ago
Last modified 7 years ago
#1286 new enhancement
[Patch] Improve permissions model
| Reported by: | Jonathan S. Shapiro | Owned by: | Alec Thomas |
|---|---|---|---|
| Priority: | normal | Component: | AddCommentMacro |
| Severity: | normal | Keywords: | |
| Cc: | dclark@… | Trac Release: | 0.11 |
Description
The AddComment macro has an insufficient permissions model. On some sites, comments are welcome, but only by authenticated users. Wouldn't it be appropriate to add COMMENT_CREATE, COMMENT_MODIFY, COMMENT_DELETE, COMMENT_ADMIN permissions and let the existing permissions mechanism be used to decide who can add comments?
Attachments (0)
Change History (5)
comment:1 Changed 15 years ago by
| Cc: | dclark@… added; anonymous removed |
|---|
comment:2 Changed 15 years ago by
| Trac Release: | 0.10 → 0.11 |
|---|
comment:3 Changed 14 years ago by
Yes I would like to have this feature to.
In the mean time I've added an option to pass an additional parameter to my version [[AddComment(userappendonly)]] which only allows authenticated users to post.
Index: macro.py
===================================================================
--- macro.py (revision 8373)
+++ macro.py (working copy)
@@ -27,6 +27,11 @@
{{{
[[AddComment(appendonly)]]
}}}
+ another optional argument which allows registered users to append
+ to the wiki even if they do not have modify permission:
+ {{{
+ [[AddComment(userappendonly)]]
+ }}}
"""
implements(IWikiMacroProvider, IRequestFilter, IMacroPoster)
@@ -54,16 +59,23 @@
# Can this user add a comment to this page?
appendonly = ('appendonly' in args)
+ userappendonly = ('userappendonly' in args)
cancomment = False
+ showcommentbox = True
if page.readonly:
if 'WIKI_ADMIN' in req.perm(resource):
cancomment = True
+ else:
+ showcommentbox = False
elif 'WIKI_MODIFY' in req.perm(resource):
cancomment = True
+ elif userappendonly and req.authname != 'anonymous' and 'WIKI_VIEW' in req.perm(resource):
+ cancomment = True
elif appendonly and 'WIKI_VIEW' in req.perm(resource):
cancomment = True
else:
- raise TracError('Error: Insufficient privileges to AddComment')
+ showcommentbox = False
+ # raise TracError('Error: Insufficient privileges to AddComment')
# Get the data from the POST
comment = req.args.get("addcomment", "")
@@ -153,8 +165,8 @@
"macro call must be the only content on its line. "
"Could not add comment.",
class_="system-message")
-
- the_form = tag.form(
+ if showcommentbox:
+ the_form = tag.form(
tag.fieldset(
tag.legend("Add comment"),
tag.div(
@@ -191,6 +203,9 @@
method="post",
action=page_url+"#commenting",
)
+ else:
+ if not page.readonly and userappendonly and req.authname == 'anonymous':
+ the_message = tag.div(tag.strong("To comment on this page please register/login."),class_="system-message")
if not wikipreview:
# Wiki edit preview already adds this javascript file
comment:4 Changed 14 years ago by
| Summary: | Bad permissions model → [Patch] Bad permissions model |
|---|
comment:5 Changed 7 years ago by
| Summary: | [Patch] Bad permissions model → [Patch] Improve permissions model |
|---|---|
| Type: | defect → enhancement |
Note: See
TracTickets for help on using
tickets.
I'd also like this fixed in a pretty way, but this seems to be sufficient to allow only authenticated (e.g. non-anonymous) users to comment:
macro.py