Hi Ryan, My present challenge with the latter permission policy configuration and ReadonlySignedTickets.py is that all users but TRAC_ADMIN are unable to comment on any ticket, irrespective of its status (new, assigned, open, closed as closed). In summary, it's simply not working as desired.
The debug log indicates that ReadonlySignedTickets.py has denied TICKET_APPEND and all other permissions, except view. However, as I mentioned earlier TRAC_ADMIN remains able to edit any ticket, signed or otherwise. What are your thoughts? On Friday, August 1, 2014, Ryan Ollos <[email protected]> wrote: > On Fri, Aug 1, 2014 at 10:52 AM, Jared Bownds <[email protected] > <javascript:_e(%7B%7D,'cvml','[email protected]');>> wrote: > >> Okay, hopefully this is the last iteration! >> >> Using the code below as our example, for some reason users who are not >> TRAC_ADMIN are unable to comment or modify tickets, irrespective of >> resolution status. >> >> Also, I've included my permission policy configuration below. >> >> *ReadonlySignedTickets.py* >> {{{ >> from trac.core import * >> from trac.perm import IPermissionPolicy >> from trac.ticket.model import Ticket >> >> class ReadonlySignedTickets(Component): >> implements(IPermissionPolicy) >> >> def check_permission(self, action, username, resource, perm): >> if resource is None or resource.realm != 'ticket' or \ >> resource.id is None or action == 'TICKET_VIEW' or \ >> action == 'TRAC_ADMIN' or 'TRAC_ADMIN' in perm: >> >> return None >> >> t = Ticket(self.env, resource.id) >> if t['resolution'] == 'Signed': >> return False >> }}} >> >> *[trac]* >> permission_policies = DefaultPermissionPolicy, ReadonlySignedTickets, >> LegacyAttachmentPolicy (this configuration locks any user but TRAC_ADMIN >> irrespective of resolution type) >> OR >> permission_policies = ReadonlySignedTickets, DefaultPermissionPolicy, >> LegacyAttachmentPolicy (This configuration doesn't work according to the >> desired behavior, since I believe permissions are processed in order, one >> superseding another) >> > > The latter is what you want to use. You need ReadonlySignedTickets to deny > actions in the ticket realm other than TICKET_VIEW before > DefaultPermissionPolicy is able to grant actions to users possessing those > permissions. > > If you continue to have trouble, look in the log to figure out why user > are being denied permission. The decision is logged at DEBUG log level, as > we've already seen. > > > Peter: do you think it would be worthwhile to add this permissions policy > as an example in the CookBook? > http://trac.edgewall.org/wiki/CookBook > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Trac Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/trac-users/1GNDHTObQKg/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected] > <javascript:_e(%7B%7D,'cvml','trac-users%[email protected]');> > . > To post to this group, send email to [email protected] > <javascript:_e(%7B%7D,'cvml','[email protected]');>. > Visit this group at http://groups.google.com/group/trac-users. > For more options, visit https://groups.google.com/d/optout. > -- Jared Bownds m. 916.224.2324 e. [email protected] -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
