Modify

Opened 7 years ago

Closed 7 years ago

#8301 closed defect (fixed)

Attachment policy implementation prevents other plugins from functioning correctly

Reported by: Derek Konigsberg Owned by: Radek Bartoň
Priority: normal Component: DiscussionPlugin
Severity: major Keywords:
Cc: Trac Release: 0.11

Description

The ILegacyAttachmentPolicyDelegate implementation in api.py does not check the resource realm prior to doing its permission check. If this permission check fails, it has the side effect of preventing permission checks in other modules from even functioning at all. On my system, the side effect was that FullBlogPlugin was unable to display attachments for anonymous users (and disabling the DiscussionPlugin magically fixed it).

The current code is written as follows:

def check_attachment_permission(self, action, username, resource, perm):
    return perm.has_permission('DISCUSSION_ATTACH')

It should instead look something like this:

def check_attachment_permission(self, action, username, resource, perm):
    if resource.parent.realm == 'discussion':
        return perm.has_permission('DISCUSSION_ATTACH')

Attachments (0)

Change History (2)

comment:1 Changed 7 years ago by Radek Bartoň

Status: newassigned

Thank you for reporting. I have fixed it now but it will appear in the next commit that will bring some other functionality.

comment:2 Changed 7 years ago by Radek Bartoň

Resolution: fixed
Status: assignedclosed

Fixed in r9715.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Radek Bartoň.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.