#10277 closed defect (fixed)
Unable to open internal ticket - TRAC_ADMIN required error
| Reported by: | Owned by: | Russ Tyndall | |
|---|---|---|---|
| Priority: | high | Component: | TimingAndEstimationPlugin |
| Severity: | normal | Keywords: | |
| Cc: | Trac Release: | 0.12 |
Description
Prerequisites
var = 1.2.8b With Permissions
plugins
most of them are disabled to minimize the TC
[components] acct_mgr.* = enabled acct_mgr.admin.accountmanageradminpage = enabled acct_mgr.api.accountmanager = enabled acct_mgr.db.sessionstore = enabled acct_mgr.htfile.htpasswdstore = enabled acct_mgr.web_ui.accountmodule = enabled acct_mgr.web_ui.loginmodule = enabled acct_mgr.web_ui.registrationmodule = enabled acct_mgr.web_ui.emailverificationmodule = enabled azcalendar.* = disabled noanonymous.* = disabled timingandestimationplugin.* = enabled trac.web.auth.loginmodule = disabled tracdownloads.api.downloadsapi = disabled tracdownloads.consoleadmin.downloadsconsoleadmin = disabled tracdownloads.core.downloadscore = disabled tracdownloads.core.downloadsdownloads = disabled tracdownloads.init.downloadsinit = disabled tracdownloads.tags.downloadstags = disabled tracdownloads.timeline.downloadstimeline = disabled tracdownloads.webadmin.downloadswebadmin = disabled tracdownloads.wiki.downloadswiki = disabled webadmin.* = disabled
Steps to reproduce
- Create internal ticket
- Try to open it
Result
"TRAC_ADMIN privileges are required to perform this operation on Ticket #" error is displayed even my account has TRAC_ADMIN permission. Other accounts that don't have the right are unable list tickets using 'View Ticket'-> 'Activ Ticket' - the same error displayed.
Debug logs
2012-09-05 11:07:49,987 Trac[ticket_policy] DEBUG: Internal: action:WIKI_VIEW, user:Mariusz, resource:<Resource 'wiki'>, perm: <trac.perm.PermissionCache object at 0xa8fd5fcc> 2012-09-05 11:07:49,992 Trac[main] WARNING: HTTPForbidden: 403 Forbidden (TRAC_ADMIN privileges are required to perform this operation on Ticket #3) 2012-09-05 11:07:50,098 Trac[ticket_policy] DEBUG: Internal: action:EMAIL_VIEW, user:Mariusz, resource:None, perm: <trac.perm.PermissionCache object at 0xa8fbe964> 2012-09-05 11:07:50,306 Trac[reports_filter] DEBUG: ReportScreenFilter: self.billing_reports= set([9, 10, 11, 12, 13, 14, 15, 16, 17]) 2012-09-05 11:07:50,308 Trac[blackmagic] DEBUG: IN BlackMagic 2012-09-05 11:07:50,309 Trac[blackmagic] DEBUG: Not a ticket returning
Attachments (0)
Change History (9)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
In my previous comment I've commented out incorrect line. It should look like:
69 perm_or_group = self.config.get('ticket', 'internalgroup', 'TIME_ADMIN' ) 70 it = perm_or_group in groups or perm.has_permission(perm_or_group) 71 #if not it: raise PermissionError(perm_or_group, res, self.env) 72 return it
I'm wondering if it should be like this:
if not it: return None
comment:3 Changed 12 years ago by
I will attempt to look into this. Your fix above (AFAICT) simply removes the error if you dont have permission (thus everyone should be able to access the internal tickets). As such I dont think this is correct.
Are you using a different permissions back end or anything? I will try to repro and solve this in the next few days.
Cheers, Russ
comment:4 Changed 12 years ago by
Are you using a different permissions back end or anything?
I'm not sure if this is what you are asking for, but see bellow for permissions I have set in my config file:
[field settings] fields = billable, totalhours, hours, estimatedhours, internal, paid billable.permission = TIME_VIEW:remove totalhours.permission = TIME_VIEW:remove, hours.permission = TIME_VIEW:remove estimatedhours.permission = TIME_VIEW:remove internal.permission = TIME_VIEW:remove paid.permission = TIME_VIEW:remove ... [ticket] internalgroup = TRAC_ADMIN ... [trac] permission_policies = InternalTicketsPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
Have you managed to reproduce it using this configuration? If not I may attach the whole config file.
comment:5 Changed 12 years ago by
I installed a new trac from scratch, and installed the latest version of TandE for trac12-Permissions. I tried to verify that my internal ticket permissionswere configured the same as yours. After doing so I created a new ticket that was not internal and a new ticket that was internal.
Both of these tickets were viewable while I was logged in as an admin. When I removed my admin permissions I received the error (correctly as I didnt have permission). When I readded my admin permissions I was again able to see the internal ticket.
As regards this, there must be a misconfiguration or some other difference between our environments. Please do me a favor and verify that the user you are logged in as actually has TRAC_ADMIN permissions. I just can't think of any other reason this would fail. What other permissions does that user have? Perhaps the difference is in what other permissions / groups the user is a part of?
I do agree that I cannot see the tickets in the Active Tickets report when I dont have the ability to see internal tickets. I was under the impression that I was removing them from the reports rather than preventing the reports from displaying, but perhaps something changed. Also you can always make reports that explicitly hide internal tickets so that is one solution (though probably not the best). I will look into what changed that I can no longer report / query tickets.
comment:6 Changed 12 years ago by
I apologize, I was misunderstanding the difference between check_permission and require apparently. Your suggested patch does seem correct (returning False/None rather than raising a permission error). I verified that I still couldnt access internal tickets directly and that I could now run reports and such without it causing issues. The code from the trac 11 branch is close to what was suggested, so now I am confused as to what changed to make it raise exceptions instead.
Thanks very much for the well thought out ticket and patch suggestion. Hopefully this will fix your issues, if not please feel free to reopen
Cheers, Russ
It helps when the line 71 in function check_ticket_access() is commented out, but not sure if it can be fix in that way because of security reasons.
69 perm_or_group = self.config.get('ticket', 'internalgroup', 'TIME_ADMIN' ) 70 #it = perm_or_group in groups or perm.has_permission(perm_or_group) 71 if not it: raise PermissionError(perm_or_group, res, self.env) 72 return it }}