TOC Macro is not working for FullBlogPlugin if user has not WIKI_VIEW permission

[bitelxux@…]

In the scenario where a user has BLOG_VIEW permission ( for FullBlogPlugin ) but not WIKI_VIEW permission, the TOC window in any blog post has no content.

The problem is that the code explicitly checks for WIKI_VIEW permission.

The fix is straight forward: check for either WIKI_VIEW or BLOG_VIEW.

[bitelxux@…]

Proposed patch

[bitelxux@…]

Proposed patch attached: my_patch_file.diff​.

[bitelxux@…]

This could be a better approach, removing the specific BLOG permission from TOC macro:

As the TOC macro is used in an already protected element ( wiki, blog, whatever ... ), it doesn't make any sense to check the permissions for the TOC element itself, as it will not be displayed in the case that the user can not access the upper element.

So this solution is about completely remove the checking of the WIKI_VIEW permission. This way, the not nice referente to a permission belonging to other pluging ( like blog ) is not needed.

[bitelxux@…]

patch removing permissions check on macro.

[Ryan J Ollos]

Replying to bitelxux@…:

As the TOC macro is used in an already protected element ( wiki, blog, whatever ... ), it doesn't make any sense to check the permissions for the TOC element itself, as it will not be displayed in the case that the user can not access the upper element.

TracFineGrainedPermissions checks need to be performed for the case that the TOC of another resource is being displayed. The TocMacro assumes that other resource is a wiki page.

The following might be the simplest change we could make to support your use case - displaying the TOC for a blog post. It wouldn't fix all the issues with using TOC in a blog post - displaying TOC for another blog post still wouldn't work.

As you've suggested, the action should already have been checked for the resource on which the TOC is used, so we could skip the permission check for that resource:

tractoc/macro.py

@@ -202 +202 @@
         active = len(pagenames) > 1
         for pagename in pagenames:
             page_resource = resource(id=pagename)
-            if not 'WIKI_VIEW' in context.perm(page_resource):
-                # Not access to the page, so should not be included
+            if resource.id != pagename and \
+                    not 'WIKI_VIEW' in context.perm(page_resource):
+                # No access to the page, so should not be included
                 continue
             if 'title_index' in params:
                 self._render_title_index(formatter, ol, page_resource,

[anonymous]

Replying to rjollos:

Sounds good :-) That way in the use case where a user has access only to the blog will see the most common case.

[Ryan J Ollos]

In 15937:

11.0.0.6: Skip permission check on resource containing the TOC

Permission must have already been granted on this resource
if the macro is being executed. An effect of this change is that
TOC can be used in resources other than wiki pages, such as
blog posts, as long as the TOC is only created for the post
containing the TOC macro.

Fixes #12914.

[bitelxux@…]

Replying to rjollos:

Thanks !