bloodhound-trac / sample-plugins / permissions / vulnerability_tickets.py

from trac.core import *
from trac.perm import IPermissionPolicy, IPermissionRequestor

revision = "$Rev$"
url = "$URL$"

class SecurityTicketsPolicy(Component):
    """Prevent public access to security sensitive tickets.
    
    Add the VULNERABILITY_VIEW permission as a pre-requisite for any
    other permission check done on tickets that have the words
    "security" or "vulnerability" in the summary or keywords fields.

    Once this plugin is enabled, you'll have to insert it at the appropriate
    place in your list of permission policies, e.g.
    {{{
    [trac]
    permission_policies = SecurityTicketsPolicy, AuthzPolicy, 
                          DefaultPermissionPolicy, LegacyAttachmentPolicy
    }}}
    """
    
    implements(IPermissionPolicy, IPermissionRequestor)

    # IPermissionPolicy methods

    def check_permission(self, action, username, resource, perm):
        # We add the 'VULNERABILITY_VIEW' pre-requisite for any action
        # other than 'VULNERABILITY_VIEW' itself, as this would lead
        # to recursion.
        if action == 'VULNERABILITY_VIEW':
            return
        
        # Check whether we're dealing with a ticket resource
        while resource:
            if resource.realm == 'ticket':
                break
            resource = resource.parent

        if resource and resource.realm == 'ticket' and resource.id is not None:
            for keywords, summary in self.env.db_query(
                    "SELECT keywords, summary FROM ticket WHERE id=%s",
                    (resource.id,)):
                fields = ''.join(f for f in (keywords, summary) if f).lower()
                if 'security' in fields or 'vulnerability' in fields:
                    if 'VULNERABILITY_VIEW' not in perm:
                        return False

    # IPermissionRequestor methods

    def get_permission_actions(self):
        yield 'VULNERABILITY_VIEW'
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.