| 4 | | |
| 5 | | > Replying to [comment:2 bitelxux@…]: |
| 6 | | > > As the TOC macro is used in an already protected element ( wiki, blog, whatever ... ), it doesn't make any sense to check the permissions for the TOC element itself, as it will not be displayed in the case that the user can not access the upper element. |
| 7 | | > |
| 8 | | > TracFineGrainedPermissions checks need to be performed for the case that the TOC of another resource is being displayed. The TocMacro assumes that other resource is a wiki page. |
| 9 | | > |
| 10 | | > The following might be the simplest change we could make to support your use case - displaying the `TOC` for a blog post. It wouldn't fix all the issues with using `TOC` in a blog post - displaying `TOC` for another blog post still wouldn't work. |
| 11 | | > |
| 12 | | > As you've suggested, the action should already have been checked for the resource on which the `TOC` is used, so we could skip the permission check for that resource: |
| 13 | | > {{{#!diff |
| 14 | | > Index: tractoc/macro.py |
| 15 | | > =================================================================== |
| 16 | | > --- tractoc/macro.py (revision 15935) |
| 17 | | > +++ tractoc/macro.py (working copy) |
| 18 | | > @@ -202,8 +202,9 @@ |
| 19 | | > active = len(pagenames) > 1 |
| 20 | | > for pagename in pagenames: |
| 21 | | > page_resource = resource(id=pagename) |
| 22 | | > - if not 'WIKI_VIEW' in context.perm(page_resource): |
| 23 | | > - # Not access to the page, so should not be included |
| 24 | | > + if resource.id != pagename and \ |
| 25 | | > + not 'WIKI_VIEW' in context.perm(page_resource): |
| 26 | | > + # No access to the page, so should not be included |
| 27 | | > continue |
| 28 | | > if 'title_index' in params: |
| 29 | | > self._render_title_index(formatter, ol, page_resource, |
| 30 | | > }}} |
