On Fri, Jul 18, 2014 at 8:13 AM, Sylvain Raybaud <[email protected]> wrote:
Dear Trac users community, > > I'm facing a problem with my company trac installation. I've got a trac > installation with a bunch of registered users (usernames and passwords in > /var/trac/main/digest). But whoever the author of a changeset is he is able > to close a ticket by including the appropriate command in the commit > message. Here are the steps to reproduce: > > 1) Correctly (I think) set permission checking in trac.ini: > > root@dev:~# grep commit_ticket_update_check_perms > /var/trac/main/conf/trac.ini > commit_ticket_update_check_perms = true > > 2) Clone a test repository and commit and push changes as a user who does > not appear anywhere in trac configuration (neither does the email address): > > toto@sylvain-GC:~/boost-cgi$ git clone ssh://git/boost-cgi > toto@sylvain-GC:~/boost-cgi$ git config --global user.name "Toto" > toto@sylvain-GC:~/boost-cgi$ git config --global user.email "[email protected]" > toto@sylvain-GC:~/boost-cgi$ echo "PLOUF" >> hello && git commit -a -m > "close #67" && git push > toto@sylvain-GC:~/boost-cgi$ git log -1 > commit 37bc8cda563c147ad5d3dec3b032a99d90e74566 > Author: Toto <[email protected]> > Date: Fri Jul 18 14:22:10 2014 +0200 > > close #67 > > 3) Watch #67 being closed (mail sent by Trac): > > #67: test > -----------------------+---------------------- > Reporter: sylvain | Owner: sylvain > Type: defect | Status: closed > Priority: major | Milestone: > Component: boost-cgi | Resolution: fixed > Keywords: | > -----------------------+---------------------- > Changes (by Toto <[email protected]> <[email protected]>): > > * status: reopened => closed > * resolution: => fixed > > > > A peek in source code showed me that Trac checks if the author of the > changeset ("Toto", I guess. Or maybe [email protected]? Anyway none has any > permission) has permission TICKET_MODIFY. In our installation only > "authenticated" users have TICKET_MODIFY permissions. > > > As I could not find this "bug" documented anywhere I'm very much willing > to admit I'm doing something wrong... but I'm really clueless. Any guidance > would be appreciated. > > Best regards, > > Sylvain Raybaud > > You could set log level to DEBUG and post the output that you see when pushing the changeset and closing the ticket. http://trac.edgewall.org/wiki/TracLogging Which version of Trac are you running? -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
