On Thu, Jul 16, 2015 at 12:51 PM, <[email protected]> wrote: > Greetings. > > I am currently trying to implement a variant of PrivateCommentPlugin at > https://trac-hacks.org/wiki/PrivateCommentPlugin for an internal trac. > Essentially, I need to add a checkbox to the form for adding or editing a > comment, and then save a tuple (ticket_id, comment_number, checkbox_status) > in a new table in the database when the ticket is created/edited. The > content of this checkbox is later used to control the visibility of the > ticket and comments. > > Now, you are probably thinking, "this is exactly what PrivateCommentPlugin > does, what's the problem?". The point is that I think that the approach > taken in PrivateCommentPlugin does not work at all. Essentially, a checkbox > is injected into the form, and then an IRequestFilter ( > https://trac-hacks.org/browser/privatecommentplugin/0.12/privatecomments/privatecomments.py#L53) > checks its value and updates the database. The issue is that this is a > request preprocessor, so the checkbox status is updated before validating > the ticket change. If the request is later found invalid (for instance, > because of invalid permissions), no change should be made to the database. > Instead, if I understand correctly, PrivateCommentPlugin does not check for > this. It looks like there is a potential security issue: by forging a > number of invalid requests one can alter the visibility of existing and new > comments. > > Is there an alternative? From what I understand, ITicketChangeListener > does not work for me because `req` is not a parameter, so I do not have > access to the checkbox status (this has been discussed in > http://thread.gmane.org/gmane.comp.version-control.subversion.trac.general/33193 > and > http://thread.gmane.org/gmane.comp.version-control.subversion.trac.devel/7566), > and ITicketManipulator doesn't work either because, again, the hook is > called during validation, not after. > > Am I misunderstanding something? Any suggestion on how to accomplish what > I am looking for? > Thanks! >
You probably want ITicketManipulator: http://trac.edgewall.org/wiki/TracDev/PluginDevelopment/ExtensionPoints/trac.ticket.api.ITicketManipulator If you'd like to submit a patch for PrivateCommentsPlugin, I'll review and commit the change if suitable. - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
