On 9/28/12, Steffen Hoffmann <[email protected]> wrote: > On 28.09.2012 23:11, Olemis Lang wrote: >> with all respect ... afaics I'd not use this because it seems to me >> that they do not respect Trac permissions and other access control >> mechanisms . Saved reports are the way to go because they are under >> the umbrella of some permission checks afaicr REPORT_CREATE , >> REPORT_SQL_EDIT . Hence only privileged users decide what will be >> repots contents and what not . > > You're right, I've just checked that now. > > For Trac db tables you have a point. In general ReportModule is an > interesting, valid approach. > [...]
> Note that we have > trac.wiki.api.IWikiPageManipulator - Allows plugins to validate wiki > pages prior to that they get stored in the database. > > So we could reject a wiki page with an embedded SQL macro done by the > "wrong" person. > Note that the scope of WikiMacros spans beyond wiki pages themselves as they will be expanded anywhere WikiFormatting is supported (e.g. many places in tickets , roadmap , repository log messages ... everywhere! ) . Limiting these concerns to a particular validation entry point leads to a partial solution to the problem requiring many other patches to cover other holes . IMO a more generic solution is needed . ReportModule should be fine most of the time . -- Regards, Olemis. Blog ES: http://simelo-es.blogspot.com/ Blog EN: http://simelo-en.blogspot.com/ Featured article: -- You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en.
