On Fri, Aug 1, 2014 at 10:52 AM, Jared Bownds <[email protected]>
wrote:
> Okay, hopefully this is the last iteration!
>
> Using the code below as our example, for some reason users who are not
> TRAC_ADMIN are unable to comment or modify tickets, irrespective of
> resolution status.
>
> Also, I've included my permission policy configuration below.
>
> *ReadonlySignedTickets.py*
> {{{
> from trac.core import *
> from trac.perm import IPermissionPolicy
> from trac.ticket.model import Ticket
>
> class ReadonlySignedTickets(Component):
> implements(IPermissionPolicy)
>
> def check_permission(self, action, username, resource, perm):
> if resource is None or resource.realm != 'ticket' or \
> resource.id is None or action == 'TICKET_VIEW' or \
> action == 'TRAC_ADMIN' or 'TRAC_ADMIN' in perm:
>
> return None
>
> t = Ticket(self.env, resource.id)
> if t['resolution'] == 'Signed':
> return False
> }}}
>
> *[trac]*
> permission_policies = DefaultPermissionPolicy, ReadonlySignedTickets,
> LegacyAttachmentPolicy (this configuration locks any user but TRAC_ADMIN
> irrespective of resolution type)
> OR
> permission_policies = ReadonlySignedTickets, DefaultPermissionPolicy,
> LegacyAttachmentPolicy (This configuration doesn't work according to the
> desired behavior, since I believe permissions are processed in order, one
> superseding another)
>
The latter is what you want to use. You need ReadonlySignedTickets to deny
actions in the ticket realm other than TICKET_VIEW before
DefaultPermissionPolicy is able to grant actions to users possessing those
permissions.
If you continue to have trouble, look in the log to figure out why user are
being denied permission. The decision is logged at DEBUG log level, as
we've already seen.
Peter: do you think it would be worthwhile to add this permissions policy
as an example in the CookBook?
http://trac.edgewall.org/wiki/CookBook
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
