Opened 10 years ago
#12427 new defect
Any user must have either 'TRAC_ADMIN', 'TICKET_ADMIN', or 'TICKET_FIELD_ADMIN' to save a new ticket's ticket_fields
Reported by: | Owned by: | bphinz | |
---|---|---|---|
Priority: | high | Component: | TicketFieldsPlugin |
Severity: | critical | Keywords: | |
Cc: | gpoveda@… | Trac Release: | 1.0 |
Description
Any user must have either 'TRAC_ADMIN', 'TICKET_ADMIN', or TICKET_FIELD_ADMIN' to save a new ticket's ticket_fields set up by the Trac Administrator via Ticket Types admin panel.
When the user first begins to create a new ticket, the ticket template's fields are shown fine. However, when the user selects "Create Ticket", I believe the TicketFields::filter_stream method prevents ticket_fields from being stored for the new ticket. Thus, when the newly created ticket is displayed, all of the template fields are hidden since 'ticket_fields' doesn't exist.
I believe lines 137 and 138 of web_ui.py should be removed
133 def filter_stream(self, req, method, filename, stream, data): 134 if req.get_header("X-Moz") == "prefetch": 135 return stream 136 if filename == "ticket.html": 137 if not self.check_permissions(req): 138 return stream 139 chrome = Chrome(self.env) 140 filter = Transformer('//fieldset[@id="properties"]') 141 # add a hidden div to hold the ticket_fields input 142 snippet = tag.div(style="display:none;") 143 snippet = tag.input(type="hidden", id="field-ticket_fields", name="field_ticket_fields", value=','.join(data['ticket_fields'])) 144 stream = stream | filter.after(snippet) 145 if req.path_info != '/newticket': 146 # insert the ticket field groups after the standard trac 'Change Properties' field group 147 stream = stream | filter.after(chrome.render_template(req, 'ticket_fields_datatable.html', data, fragment=True))
and instead, a permissions check added at old line 145:
133 def filter_stream(self, req, method, filename, stream, data): 134 if req.get_header("X-Moz") == "prefetch": 135 return stream 136 if filename == "ticket.html": 137 #if not self.check_permissions(req): 138 # return stream 139 chrome = Chrome(self.env) 140 filter = Transformer('//fieldset[@id="properties"]') 141 # add a hidden div to hold the ticket_fields input 142 snippet = tag.div(style="display:none;") 143 snippet = tag.input(type="hidden", id="field-ticket_fields", name="field_ticket_fields", value=','.join(data['ticket_fields'])) 144 stream = stream | filter.after(snippet) 145 if req.path_info != '/newticket' and self.check_permissions(req): 146 # insert the ticket field groups after the standard trac 'Change Properties' field group 147 stream = stream | filter.after(chrome.render_template(req, 'ticket_fields_datatable.html', data, fragment=True))
This should then allow regular users with TICKET_CREATE permissions to create a ticket from a template created by the administrator, but still require TRAC_ADMIN', 'TICKET_ADMIN', or TICKET_FIELD_ADMIN in order for the ticket_fields_datatable to show after the standard trac 'Change Properties' field group