Opened 13 years ago

Closed 12 years ago

#6771 closed defect (fixed)

Plugin uses "assert" to check perms, which could go away with -O

Reported by: Joshua Kugler Owned by: Ryan J Ollos
Priority: highest Component: TicketChangePlugin
Severity: critical Keywords:
Cc: Trac Release: 0.11


On line 55 of (current svn), it says:

assert req.perm.has_permission('TICKET_ADMIN')

According to the Python docs, if a module is compiled with -O (or -OO), assert statements are discarded. See

Thus, if TicketChangePlugin is compiled with -O, there will be no permissions check in process_request(). While the buttons will not be displayed unless the TICKET_ADMIN permission exists, someone could do a direct post to the URL for editing the ticket.

Attachments (0)

Change History (2)

comment:1 Changed 12 years ago by Ryan J Ollos

Owner: changed from Sergei Luchko to Ryan J Ollos
Status: newassigned

Yes, this is an incorrect use of the Trac API.

comment:2 Changed 12 years ago by Ryan J Ollos

Resolution: fixed
Status: assignedclosed

(In [9653]) Fixed incorrect use of Trac API in enforcement of permissions. Fixes #6771.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.