Modify

Opened 16 years ago

Last modified 5 years ago

#4619 new defect

the permission checked for is SENSITIVE_VIEW but viewing tickets shows a TICKET_VIEW permission error

Reported by: Jeff Hammel Owned by:
Priority: low Component: SensitiveTicketsPlugin
Severity: minor Keywords: error wording
Cc: Jeff Hammel, Mitar Trac Release: 0.11

Description

on tickets marked as Sensitive, viewing them shows the following message

Forbidden: TICKET_VIEW privileges needed.

The permission checked for is SENSITIVE_VIEW.

Note that this is not necessarily undesirable. While no real security is provided by hiding evidence that the ticket is sensitive, neither does it hurt the functionality of the SensitiveTicketsPlugin. Since the trac tickets are ordered, anyone seeking to know which tickets are sensitive can request them incrementally.

Attachments (0)

Change History (7)

comment:1 Changed 16 years ago by Mitar

Cc: Mitar added

I still vote for fixing this so users of my Trac will not yell at me "you removed my privileges" but will be able to understand that this is a different privilege.

comment:2 Changed 15 years ago by obs

Owner: changed from Sebastian Benthall to obs

comment:3 Changed 13 years ago by Steffen Hoffmann

Keywords: error wording added
Owner: changed from obs to Daniel Kahn Gillmor

assign to new maintainer, again

comment:4 Changed 13 years ago by Daniel Kahn Gillmor

I'm not sure how i would do this given the trac framework. I also don't particularly have a need for such a change.

However, if anyone wants to offer a patch that does this, i'll happily integrate it!

comment:5 Changed 12 years ago by anonymous

Priority: lowhighest
Severity: trivialblocker

Ticket creator cannot see the ticket even not reply. Ticket sender must have permission to view tickets and replied answer.

also tried to ticket_view permission sensitive_view open all the tickets which is not acceptale

comment:6 in reply to:  5 Changed 12 years ago by Daniel Kahn Gillmor

Priority: highestlow
Severity: blockerminor

Hi there Anonymous -- I understand you want something to change, but please do not inflate the priority or severity of a ticket without providing justification for it. I'm pretty sure this issue is not a blocker, and it certainly isn't my highest priority as maintainer of the SensitiveTicketsPlugin.

Replying to anonymous:

Ticket creator cannot see the ticket even not reply. Ticket sender must have permission to view tickets and replied answer.

if you would like this behavior, i advise you to set allow_reporter in the [sensitivetickets] section of conf/trac.ini, as documented in newer versions of the plugin.

However, I don't think this particular behavior has any bearing on this ticket, which is about the content of the error message shown.

also tried to ticket_view permission sensitive_view open all the tickets which is not acceptale

Correct, those are distinct permissions.

As i said in comment:4, i don't know how to do this cleanly within the trac framework, but i'd be happy to integrate a patch that does.

comment:7 Changed 5 years ago by Ryan J Ollos

Owner: Daniel Kahn Gillmor deleted

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.