Modify ↓
Opened 14 years ago
Closed 14 years ago
#8301 closed defect (fixed)
Attachment policy implementation prevents other plugins from functioning correctly
Reported by: | Derek Konigsberg | Owned by: | Radek Bartoň |
---|---|---|---|
Priority: | normal | Component: | DiscussionPlugin |
Severity: | major | Keywords: | |
Cc: | Trac Release: | 0.11 |
Description
The ILegacyAttachmentPolicyDelegate implementation in api.py does not check the resource realm prior to doing its permission check. If this permission check fails, it has the side effect of preventing permission checks in other modules from even functioning at all. On my system, the side effect was that FullBlogPlugin was unable to display attachments for anonymous users (and disabling the DiscussionPlugin magically fixed it).
The current code is written as follows:
def check_attachment_permission(self, action, username, resource, perm): return perm.has_permission('DISCUSSION_ATTACH')
It should instead look something like this:
def check_attachment_permission(self, action, username, resource, perm): if resource.parent.realm == 'discussion': return perm.has_permission('DISCUSSION_ATTACH')
Attachments (0)
Note: See
TracTickets for help on using
tickets.
Thank you for reporting. I have fixed it now but it will appear in the next commit that will bring some other functionality.