On Nov 15, 7:07 pm, Christian Boos <[EMAIL PROTECTED]> wrote:
>
> Great, "Committed as [6160]" ;-)
>
> -- Christian
Thanks!
Implemented it, and decided to give it a last complete spin by
checking all aspects of it and to my suprise it rendered an attachment
despite the soundness of my implementation and despite that the user
lacks access. Some more digging, and it turns out to be a bug in Trac
as viewing actually does not check for view permissions at all - for
any module supporting attachments...
This link will render even though the user does not have WIKI_VIEW
access:
/the-project/attachment/wiki/WikiStart/testfile.txt
Here is the diff for fix:
Index: trac/attachment.py
===================================================================
--- trac/attachment.py (revision 6160)
+++ trac/attachment.py (working copy)
@@ -611,6 +611,7 @@
return 'attachment.html', data, None
def _render_view(self, req, attachment):
+ req.perm(attachment.resource).require('ATTACHMENT_VIEW')
req.check_modified(attachment.date)
data = {'mode': 'view',
:::simon
https://www.coderesort.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac
Development" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/trac-dev?hl=en
-~----------~----~----~----~------~----~------~--~---
