While working on search security, I have found a problem with
multiproduct permissions. If a user has TRAC_ADMIN privileges in
global environment, but no permissions in product environment (DELETE
FROM permission where product='p1'; ), he is unable to view tickets,
wikis, ... from product p1 (TICKET_VIEW privileges are required to
perform this operation on Ticket #1.).
A fix for this is fairly simple, but I have been wandering if this
behaviour is by design.
Anze
Patch that enables TRAC_ADMIN to inherit permissions in product environments:
Index: bloodhound_multiproduct/multiproduct/perm.py
===================================================================
--- bloodhound_multiproduct/multiproduct/perm.py (revision 1463489)
+++ bloodhound_multiproduct/multiproduct/perm.py (working copy)
@@ -40,13 +40,15 @@
from multiproduct.env import ProductEnvironment
if isinstance(self.env, ProductEnvironment):
+ permsys = PermissionSystem(self.env.parent)
+ is_trac_admin =
bool(permsys.check_permission('TRAC_ADMIN', username,
+ resource, perm))
if action == 'TRAC_ADMIN':
- # Always lookup TRAC_ADMIN permission in global scope
- permsys = PermissionSystem(self.env.parent)
- return bool(permsys.check_permission(action, username,
- resource, perm))
- elif username == self.env.product.owner:
- # Product owner granted with PRODUCT_ADMIN permission ootb
+ return is_trac_admin
+
+ elif username == self.env.product.owner or is_trac_admin:
+ # Product owner and trac admins granted with
+ # PRODUCT_ADMIN permission ootb
permsys = PermissionSystem(self.env)
# FIXME: would `action != 'TRAC_ADMIN'` be enough ?
return True if action in permsys.get_actions() and \
