Opened 5 years ago

Last modified 3 hours ago

#9952 new task

Remove permissions checking from _get_boxes in

Reported by: rjollos Owned by:
Priority: normal Component: AnnouncerPlugin
Severity: normal Keywords:
Cc: doki_pen, hasienda Trac Release: 0.12


Some background on how I arrived at opening this ticket: I'm using PrivateTicketsPlugin on my Trac instance to grant ticket viewing permissions to a subset of my users. I'd like those users to be part of a joinable group, which I'd subscribe them to at the time I create their accounts. On attempting to setup this up this evening, I ran into the issue that the Group Subscription panel was not viewable by the users that lacked TICKET_VIEW permission. To grant them permission, I had to make some local modifications to the source code. In the course of making those modifications, I ran into what seems to be an inconsistency in how the source code is organized.

There seems to be an inconsistency in how permissions checking is done in the source code. Permissions checking is done in, for example:

def get_announcement_preference_boxes(self, req):
    if req.perm.has_permission('WIKI_VIEW'):
        yield "general_wiki", _("General Wiki Announcements")

Therefore, I expected permissions checking for the Group Subscription panel to also be done in, but it is not:

def get_announcement_preference_boxes(self, req):
    if req.authname == "anonymous" and 'email' not in req.session:
    if self.joinable_groups:
        yield "joinable_groups", _("Group Subscriptions")

What I found is that additional permissions checking is done in

def _get_boxes(self, req):
    for pr in self.preference_boxes:
        boxes = pr.get_announcement_preference_boxes(req)
        boxdata = {}
        if boxes:
            for boxname, boxlabel in boxes:
                if boxname == 'general_wiki' and not req.perm.has_permission('WIKI_VIEW'):
                if (boxname == 'legacy' or boxname == 'joinable_groups') and not req.perm.has_permission('TICKET_VIEW'):
                yield ((boxname, boxlabel) +
                    pr.render_announcement_preference_box(req, boxname))

It looks like the following permissions check is redundant with a permissions check in

if boxname == 'general_wiki' and not req.perm.has_permission('WIKI_VIEW'):

and for consistency this permissions check should be moved into

if (boxname == 'legacy' or boxname == 'joinable_groups') and not req.perm.has_permission('TICKET_VIEW'):

Therefore, I'd recommend deleting the former and making the change suggested in the latter. I was hoping to get some feedback to see if I'm overlooking something before generating a patch.

Attachments (0)

Change History (3)

comment:1 Changed 4 years ago by rjollos

  • Cc hasienda added
  • Owner changed from hasienda to rjollos
  • Status changed from new to assigned

comment:2 Changed 3 years ago by rjollos

  • Status changed from assigned to new

comment:3 Changed 3 hours ago by rjollos

  • Owner rjollos deleted

Add Comment

Modify Ticket

as new The ticket will remain with no owner.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.