Hi, and thanks for your work on trac and PrivateCommentPlugin. >From what I understand, I cannot use ITicketManipulator because that code gets called *during* validation. It is still possible that my code gets called but the comment is not accepted because another ITicketManipulator called later rejects it. I'd be happy to submit a patch to PrivateCommentPlugin, but first I have to figure out a working approach, and I am afraid I cannot find any with the current available interfaces.
-federico On Thursday, July 16, 2015 at 10:58:59 PM UTC+2, RjOllos wrote: > > > > On Thu, Jul 16, 2015 at 12:51 PM, <[email protected] <javascript:>> wrote: > >> Greetings. >> >> I am currently trying to implement a variant of PrivateCommentPlugin at >> https://trac-hacks.org/wiki/PrivateCommentPlugin for an internal trac. >> Essentially, I need to add a checkbox to the form for adding or editing a >> comment, and then save a tuple (ticket_id, comment_number, checkbox_status) >> in a new table in the database when the ticket is created/edited. The >> content of this checkbox is later used to control the visibility of the >> ticket and comments. >> >> Now, you are probably thinking, "this is exactly what >> PrivateCommentPlugin does, what's the problem?". The point is that I think >> that the approach taken in PrivateCommentPlugin does not work at all. >> Essentially, a checkbox is injected into the form, and then an >> IRequestFilter ( >> https://trac-hacks.org/browser/privatecommentplugin/0.12/privatecomments/privatecomments.py#L53) >> >> checks its value and updates the database. The issue is that this is a >> request preprocessor, so the checkbox status is updated before validating >> the ticket change. If the request is later found invalid (for instance, >> because of invalid permissions), no change should be made to the database. >> Instead, if I understand correctly, PrivateCommentPlugin does not check for >> this. It looks like there is a potential security issue: by forging a >> number of invalid requests one can alter the visibility of existing and new >> comments. >> >> Is there an alternative? From what I understand, ITicketChangeListener >> does not work for me because `req` is not a parameter, so I do not have >> access to the checkbox status (this has been discussed in >> http://thread.gmane.org/gmane.comp.version-control.subversion.trac.general/33193 >> >> and >> http://thread.gmane.org/gmane.comp.version-control.subversion.trac.devel/7566), >> >> and ITicketManipulator doesn't work either because, again, the hook is >> called during validation, not after. >> >> Am I misunderstanding something? Any suggestion on how to accomplish what >> I am looking for? >> Thanks! >> > > You probably want ITicketManipulator: > > http://trac.edgewall.org/wiki/TracDev/PluginDevelopment/ExtensionPoints/trac.ticket.api.ITicketManipulator > > If you'd like to submit a patch for PrivateCommentsPlugin, I'll review and > commit the change if suitable. > > - Ryan > > -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
