Modify

Opened 11 months ago

Closed 11 months ago

Last modified 11 months ago

#12914 closed defect (fixed)

TOC Macro is not working for FullBlogPlugin if user has not WIKI_VIEW permission

Reported by: bitelxux@… Owned by: Ryan J Ollos
Priority: lowest Component: TocMacro
Severity: normal Keywords:
Cc: Trac Release: 1.0

Description

In the scenario where a user has BLOG_VIEW permission ( for FullBlogPlugin ) but not WIKI_VIEW permission, the TOC window in any blog post has no content.

The problem is that the code explicitly checks for WIKI_VIEW permission.

The fix is straight forward: check for either WIKI_VIEW or BLOG_VIEW.

Attachments (2)

my_patch_file.diff (647 bytes) - added by bitelxux@… 11 months ago.
Proposed patch
tocmacro.diff (648 bytes) - added by bitelxux@… 11 months ago.
patch removing permissions check on macro.

Download all attachments as: .zip

Change History (9)

Changed 11 months ago by bitelxux@…

Attachment: my_patch_file.diff added

Proposed patch

comment:1 Changed 11 months ago by bitelxux@…

Proposed patch attached: my_patch_file.diff.

Last edited 11 months ago by Ryan J Ollos (previous) (diff)

comment:2 Changed 11 months ago by bitelxux@…

This could be a better approach, removing the specific BLOG permission from TOC macro:

As the TOC macro is used in an already protected element ( wiki, blog, whatever ... ), it doesn't make any sense to check the permissions for the TOC element itself, as it will not be displayed in the case that the user can not access the upper element.

So this solution is about completely remove the checking of the WIKI_VIEW permission. This way, the not nice referente to a permission belonging to other pluging ( like blog ) is not needed.

Changed 11 months ago by bitelxux@…

Attachment: tocmacro.diff added

patch removing permissions check on macro.

comment:3 Changed 11 months ago by Ryan J Ollos

Owner: set to Ryan J Ollos
Status: newaccepted

comment:4 in reply to:  2 ; Changed 11 months ago by Ryan J Ollos

Replying to bitelxux@…:

As the TOC macro is used in an already protected element ( wiki, blog, whatever ... ), it doesn't make any sense to check the permissions for the TOC element itself, as it will not be displayed in the case that the user can not access the upper element.

TracFineGrainedPermissions checks need to be performed for the case that the TOC of another resource is being displayed. The TocMacro assumes that other resource is a wiki page.

The following might be the simplest change we could make to support your use case - displaying the TOC for a blog post. It wouldn't fix all the issues with using TOC in a blog post - displaying TOC for another blog post still wouldn't work.

As you've suggested, the action should already have been checked for the resource on which the TOC is used, so we could skip the permission check for that resource:

  • tractoc/macro.py

     
    202202        active = len(pagenames) > 1
    203203        for pagename in pagenames:
    204204            page_resource = resource(id=pagename)
    205             if not 'WIKI_VIEW' in context.perm(page_resource):
    206                 # Not access to the page, so should not be included
     205            if resource.id != pagename and \
     206                    not 'WIKI_VIEW' in context.perm(page_resource):
     207                # No access to the page, so should not be included
    207208                continue
    208209            if 'title_index' in params:
    209210                self._render_title_index(formatter, ol, page_resource,

comment:5 in reply to:  4 Changed 11 months ago by anonymous

Replying to rjollos:

Sounds good :-) That way in the use case where a user has access only to the blog will see the most common case.

Last edited 11 months ago by Ryan J Ollos (previous) (diff)

comment:6 Changed 11 months ago by Ryan J Ollos

Resolution: fixed
Status: acceptedclosed

In 15937:

11.0.0.6: Skip permission check on resource containing the TOC

Permission must have already been granted on this resource
if the macro is being executed. An effect of this change is that
TOC can be used in resources other than wiki pages, such as
blog posts, as long as the TOC is only created for the post
containing the TOC macro.

Fixes #12914.

comment:7 in reply to:  6 Changed 11 months ago by bitelxux@…

Replying to rjollos:

Thanks !

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.