id,summary,reporter,owner,description,type,status,priority,component,severity,resolution,keywords,cc,release 9952,Remove permissions checking from _get_boxes in prefs.py,Ryan J Ollos,,"Some background on how I arrived at opening this ticket: I'm using PrivateTicketsPlugin on my Trac instance to grant ticket viewing permissions to a subset of my users. I'd like those users to be part of a joinable group, which I'd subscribe them to at the time I create their accounts. On attempting to setup this up this evening, I ran into the issue that the ''Group Subscription'' panel was not viewable by the users that lacked `TICKET_VIEW` permission. To grant them permission, I had to make some local modifications to the source code. In the course of making those modifications, I ran into what seems to be an inconsistency in how the source code is organized. There seems to be an inconsistency in how permissions checking is done in the source code. Permissions checking is done in `subscribers.py`, for example: {{{ #!python def get_announcement_preference_boxes(self, req): if req.perm.has_permission('WIKI_VIEW'): yield ""general_wiki"", _(""General Wiki Announcements"") }}} Therefore, I expected permissions checking for the ''Group Subscription'' panel to also be done in `subscribers.py`, but it is not: {{{ #!python def get_announcement_preference_boxes(self, req): if req.authname == ""anonymous"" and 'email' not in req.session: return if self.joinable_groups: yield ""joinable_groups"", _(""Group Subscriptions"") }}} What I found is that additional permissions checking is done in `prefs.py`: {{{ #!python def _get_boxes(self, req): for pr in self.preference_boxes: boxes = pr.get_announcement_preference_boxes(req) boxdata = {} if boxes: for boxname, boxlabel in boxes: if boxname == 'general_wiki' and not req.perm.has_permission('WIKI_VIEW'): continue if (boxname == 'legacy' or boxname == 'joinable_groups') and not req.perm.has_permission('TICKET_VIEW'): continue yield ((boxname, boxlabel) + pr.render_announcement_preference_box(req, boxname)) }}} It looks like the following permissions check is redundant with a permissions check in `subscribers.py`: {{{ #!python if boxname == 'general_wiki' and not req.perm.has_permission('WIKI_VIEW'): continue }}} and for consistency this permissions check should be moved into `subscribers.py`: {{{ #!python if (boxname == 'legacy' or boxname == 'joinable_groups') and not req.perm.has_permission('TICKET_VIEW'): continue }}} Therefore, I'd recommend deleting the former and making the change suggested in the latter. I was hoping to get some feedback to see if I'm overlooking something before generating a patch.",task,closed,normal,AnnouncerPlugin,normal,wontfix,,Robert Corsaro Steffen Hoffmann,0.12