Opened 7 months ago

Closed 7 months ago

# TOC Macro is not working for FullBlogPlugin if user has not WIKI_VIEW permission

Reported by: Owned by: bitelxux@… Ryan J Ollos lowest TocMacro normal 1.0

### Description

In the scenario where a user has BLOG_VIEW permission ( for FullBlogPlugin ) but not WIKI_VIEW permission, the TOC window in any blog post has no content.

The problem is that the code explicitly checks for WIKI_VIEW permission.

The fix is straight forward: check for either WIKI_VIEW or BLOG_VIEW.

Proposed patch

### comment:1 Changed 7 months ago by bitelxux@…

Proposed patch attached: my_patch_file.diff.

Last edited 7 months ago by Ryan J Ollos (previous) (diff)

### comment:2 follow-up:  4 Changed 7 months ago by bitelxux@…

This could be a better approach, removing the specific BLOG permission from TOC macro:

As the TOC macro is used in an already protected element ( wiki, blog, whatever ... ), it doesn't make any sense to check the permissions for the TOC element itself, as it will not be displayed in the case that the user can not access the upper element.

So this solution is about completely remove the checking of the WIKI_VIEW permission. This way, the not nice referente to a permission belonging to other pluging ( like blog ) is not needed.

### Changed 7 months ago by bitelxux@…

patch removing permissions check on macro.

### comment:3 Changed 7 months ago by Ryan J Ollos

Owner: set to Ryan J Ollos new → accepted

### comment:4 in reply to:  2 ; follow-up:  5 Changed 7 months ago by Ryan J Ollos

As the TOC macro is used in an already protected element ( wiki, blog, whatever ... ), it doesn't make any sense to check the permissions for the TOC element itself, as it will not be displayed in the case that the user can not access the upper element.

TracFineGrainedPermissions checks need to be performed for the case that the TOC of another resource is being displayed. The TocMacro assumes that other resource is a wiki page.

The following might be the simplest change we could make to support your use case - displaying the TOC for a blog post. It wouldn't fix all the issues with using TOC in a blog post - displaying TOC for another blog post still wouldn't work.

As you've suggested, the action should already have been checked for the resource on which the TOC is used, so we could skip the permission check for that resource:

• ## tractoc/macro.py

 active = len(pagenames) > 1 for pagename in pagenames: page_resource = resource(id=pagename) if not 'WIKI_VIEW' in context.perm(page_resource): # Not access to the page, so should not be included if resource.id != pagename and \ not 'WIKI_VIEW' in context.perm(page_resource): # No access to the page, so should not be included continue if 'title_index' in params: self._render_title_index(formatter, ol, page_resource,

### comment:5 in reply to:  4 Changed 7 months ago by anonymous

Sounds good :-) That way in the use case where a user has access only to the blog will see the most common case.

Last edited 7 months ago by Ryan J Ollos (previous) (diff)

### comment:6 follow-up:  7 Changed 7 months ago by Ryan J Ollos

Resolution: → fixed accepted → closed

In 15937:

11.0.0.6: Skip permission check on resource containing the TOC

Permission must have already been granted on this resource
if the macro is being executed. An effect of this change is that
TOC can be used in resources other than wiki pages, such as
blog posts, as long as the TOC is only created for the post
containing the TOC macro.

Fixes #12914.

Thanks !

### Modify Ticket

Change Properties