On Thu, Jul 16, 2015 at 12:51 PM, <f.pol...@gmail.com> wrote: > Greetings. > > I am currently trying to implement a variant of PrivateCommentPlugin at > https://trac-hacks.org/wiki/PrivateCommentPlugin for an internal trac. > Essentially, I need to add a checkbox to the form for adding or editing a > comment, and then save a tuple (ticket_id, comment_number, checkbox_status) > in a new table in the database when the ticket is created/edited. The > content of this checkbox is later used to control the visibility of the > ticket and comments. > > Now, you are probably thinking, "this is exactly what PrivateCommentPlugin > does, what's the problem?". The point is that I think that the approach > taken in PrivateCommentPlugin does not work at all. Essentially, a checkbox > is injected into the form, and then an IRequestFilter ( > https://trac-hacks.org/browser/privatecommentplugin/0.12/privatecomments/privatecomments.py#L53) > checks its value and updates the database. The issue is that this is a > request preprocessor, so the checkbox status is updated before validating > the ticket change. If the request is later found invalid (for instance, > because of invalid permissions), no change should be made to the database. > Instead, if I understand correctly, PrivateCommentPlugin does not check for > this. It looks like there is a potential security issue: by forging a > number of invalid requests one can alter the visibility of existing and new > comments. > > Is there an alternative? From what I understand, ITicketChangeListener > does not work for me because `req` is not a parameter, so I do not have > access to the checkbox status (this has been discussed in > http://thread.gmane.org/gmane.comp.version-control.subversion.trac.general/33193 > and > http://thread.gmane.org/gmane.comp.version-control.subversion.trac.devel/7566), > and ITicketManipulator doesn't work either because, again, the hook is > called during validation, not after. > > Am I misunderstanding something? Any suggestion on how to accomplish what > I am looking for? > Thanks! >
You probably want ITicketManipulator: http://trac.edgewall.org/wiki/TracDev/PluginDevelopment/ExtensionPoints/trac.ticket.api.ITicketManipulator If you'd like to submit a patch for PrivateCommentsPlugin, I'll review and commit the change if suitable. - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscr...@googlegroups.com. To post to this group, send email to trac-users@googlegroups.com. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
