#3594 closed defect (fixed)
Permissions are not checked when accessing TicketStats page by entering URL
Reported by: | anonymous | Owned by: | Ryan J Ollos |
---|---|---|---|
Priority: | normal | Component: | TracTicketStatsPlugin |
Severity: | normal | Keywords: | |
Cc: | Trac Release: | 0.11 |
Description
I've just one group with the TSTATS_VIEW permission.
So, normally, anonymous cannot see stats as it only have CHANGESET_VIEW, REPORT_SQL_VIEW, TOCKET_VIEW, FILE_VIEW, REPORT_VIEW, TIMELINE_VIEW, LOG_VIEW, ROADMAP_VIEW, WIKI_VIEW, MILESTONE_VIEW and SEARCH_VIEW.
I'm using trac 0.11.
Attachments (0)
Change History (12)
comment:1 Changed 16 years ago by
comment:3 Changed 16 years ago by
Status: | new → assigned |
---|
sorry for the delayed response to this ticket. I haven't been watching this. Did you add TSTATS_VIEW to the permissions for anonymous ?
comment:4 Changed 16 years ago by
Thanks for reply.
No. I gave all permissions that anonymous have in my ticket.
comment:5 Changed 16 years ago by
just add
if req.perm.has_permission('TSTATS_VIEW'):
also to the beginning of the process_request method, as it is only checked for the navigation
comment:6 Changed 16 years ago by
Sorry but I don't know python, and then I don't know where add this.
But, in any cases, the problem is important, I think. The TSTATS_VIEW permission is just here to decide if the user, following his status, can see the button Ticket Stats or not. But, if you put the url, as anonymous, you have grant access.
comment:7 Changed 14 years ago by
Summary: | Everybody access to stats. → Permissions are not checked when accessing via absolute URL |
---|
If I understand correctly, the issue is that permissions are not being checked when a user accesses the page by entering a URL, rather the permissions are only checked when a user clicks on a tab in the main navigation bar.
I also wonder why we need a specific permission to view ticket stats. It is really just presenting information available in reports in a different way, so it seems like we should just check for REPORT_VIEW permission and avoid the complication of having yet another permission.
comment:8 Changed 14 years ago by
Summary: | Permissions are not checked when accessing via absolute URL → Permissions are not checked when accessing TicketStats page by entering URL |
---|
comment:9 Changed 14 years ago by
Owner: | changed from Prentice Wongvibulsin to Ryan J Ollos |
---|---|
Status: | assigned → new |
Reassigning ticket to new maintainer.
comment:10 Changed 14 years ago by
comment:11 Changed 14 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Some one can help me please ?