Context Navigation

Modify ↓

#8301 closed defect (fixed)

Attachment policy implementation prevents other plugins from functioning correctly

Reported by:	Derek Konigsberg	Owned by:	Radek Bartoň
Priority:	normal	Component:	DiscussionPlugin
Severity:	major	Keywords:
Cc:		Trac Release:	0.11

Description

The ILegacyAttachmentPolicyDelegate implementation in api.py does not check the resource realm prior to doing its permission check. If this permission check fails, it has the side effect of preventing permission checks in other modules from even functioning at all. On my system, the side effect was that FullBlogPlugin was unable to display attachments for anonymous users (and disabling the DiscussionPlugin magically fixed it).

The current code is written as follows:

def check_attachment_permission(self, action, username, resource, perm):
    return perm.has_permission('DISCUSSION_ATTACH')

It should instead look something like this:

def check_attachment_permission(self, action, username, resource, perm):
    if resource.parent.realm == 'discussion':
        return perm.has_permission('DISCUSSION_ATTACH')

Attachments (0)

Change History (2)

comment:1 Changed 14 years ago by Radek Bartoň

Status:	new → assigned

Thank you for reporting. I have fixed it now but it will appear in the next commit that will bring some other functionality.

comment:2 Changed 14 years ago by Radek Bartoň

Resolution:	→ fixed
Status:	assigned → closed

Fixed in r9715.

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Radek Bartoň.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: