Modify

Opened 9 years ago

Closed 7 years ago

Last modified 5 years ago

#3594 closed defect (fixed)

Permissions are not checked when accessing TicketStats page by entering URL

Reported by: anonymous Owned by: Ryan J Ollos
Priority: normal Component: TracTicketStatsPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11

Description

I've just one group with the TSTATS_VIEW permission.

So, normally, anonymous cannot see stats as it only have CHANGESET_VIEW, REPORT_SQL_VIEW, TOCKET_VIEW, FILE_VIEW, REPORT_VIEW, TIMELINE_VIEW, LOG_VIEW, ROADMAP_VIEW, WIKI_VIEW, MILESTONE_VIEW and SEARCH_VIEW.

I'm using trac 0.11.

Attachments (0)

Change History (12)

comment:1 Changed 9 years ago by anonymous

Some one can help me please ?

comment:2 Changed 9 years ago by anonymous

2 months after ... no news ?

comment:3 Changed 9 years ago by Prentice Wongvibulsin

Status: newassigned

sorry for the delayed response to this ticket. I haven't been watching this. Did you add TSTATS_VIEW to the permissions for anonymous ?

comment:4 Changed 9 years ago by anonymous

Thanks for reply.

No. I gave all permissions that anonymous have in my ticket.

comment:5 Changed 9 years ago by Veysel

just add

if req.perm.has_permission('TSTATS_VIEW'):

also to the beginning of the process_request method, as it is only checked for the navigation

comment:6 Changed 9 years ago by anonymous

Sorry but I don't know python, and then I don't know where add this.

But, in any cases, the problem is important, I think. The TSTATS_VIEW permission is just here to decide if the user, following his status, can see the button Ticket Stats or not. But, if you put the url, as anonymous, you have grant access.

comment:7 Changed 7 years ago by Ryan J Ollos

Summary: Everybody access to stats.Permissions are not checked when accessing via absolute URL

If I understand correctly, the issue is that permissions are not being checked when a user accesses the page by entering a URL, rather the permissions are only checked when a user clicks on a tab in the main navigation bar.

I also wonder why we need a specific permission to view ticket stats. It is really just presenting information available in reports in a different way, so it seems like we should just check for REPORT_VIEW permission and avoid the complication of having yet another permission.

comment:8 Changed 7 years ago by Ryan J Ollos

Summary: Permissions are not checked when accessing via absolute URLPermissions are not checked when accessing TicketStats page by entering URL

comment:9 Changed 7 years ago by Ryan J Ollos

Owner: changed from Prentice Wongvibulsin to Ryan J Ollos
Status: assignednew

Reassigning ticket to new maintainer.

comment:10 Changed 7 years ago by Ryan J Ollos

(In [9499]) Enforce permission when processing request. Prior to this changeset any user could access the TicketStats page by entering the URI. Refs #3594.

comment:11 Changed 7 years ago by Ryan J Ollos

Resolution: fixed
Status: newclosed

(In [9500]) Merged [9499] into 0.11 and 0.12 branches. Fixes #3594.

comment:12 Changed 5 years ago by Ryan J Ollos

(In [13104]) Refs #8600, #5568, #3594: Removed the 0.11 and 0.12 branches. The trunk will be kept compatible with 0.11 and higher for now.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.