Greetings. I am currently trying to implement a variant of PrivateCommentPlugin at https://trac-hacks.org/wiki/PrivateCommentPlugin for an internal trac. Essentially, I need to add a checkbox to the form for adding or editing a comment, and then save a tuple (ticket_id, comment_number, checkbox_status) in a new table in the database when the ticket is created/edited. The content of this checkbox is later used to control the visibility of the ticket and comments.
Now, you are probably thinking, "this is exactly what PrivateCommentPlugin does, what's the problem?". The point is that I think that the approach taken in PrivateCommentPlugin does not work at all. Essentially, a checkbox is injected into the form, and then an IRequestFilter (https://trac-hacks.org/browser/privatecommentplugin/0.12/privatecomments/privatecomments.py#L53) checks its value and updates the database. The issue is that this is a request preprocessor, so the checkbox status is updated before validating the ticket change. If the request is later found invalid (for instance, because of invalid permissions), no change should be made to the database. Instead, if I understand correctly, PrivateCommentPlugin does not check for this. It looks like there is a potential security issue: by forging a number of invalid requests one can alter the visibility of existing and new comments. Is there an alternative? From what I understand, ITicketChangeListener does not work for me because `req` is not a parameter, so I do not have access to the checkbox status (this has been discussed in http://thread.gmane.org/gmane.comp.version-control.subversion.trac.general/33193 and http://thread.gmane.org/gmane.comp.version-control.subversion.trac.devel/7566), and ITicketManipulator doesn't work either because, again, the hook is called during validation, not after. Am I misunderstanding something? Any suggestion on how to accomplish what I am looking for? Thanks! -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
