On Thu, Nov 20, 2014 at 6:16 AM, Ryan Ollos <[email protected]> wrote:

>
> On Nov 20, 2014 5:49 AM, "Shawn Baker" <[email protected]> wrote:
> >
> > I recently upgraded from a Trac 0.11 server to 1.0.2.  I am seeing what
> I think is weird behavior for ticket permissions.
> >
> > I have a "new" ticket that my user submitted (user1).  Trac is setup to
> default the ticket ownership to a specific user (user2).  So user1 is the
> reporter, but and user2 is currently owner of this ticket.  However, I have
> the following ticket modification options available to user1:
> > Leave as new The owner will remain user2.
> > Accept. Next status will be 'accepted'.
> > Reassign to <user drop down>. The owner will be changed from user2 to
> the selected user. Next status will be 'new'.
> > Requires more information and assign to <user drop down>. The owner will
> be changed from user2 to the selected user. Next status will be 'needinfo'.
> > Close as <resolution drop down>. The resolution will be set. Next status
> will be 'closed'.
> >
> > These are the permissions for user1:
> > TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_MODIFY, TICKET_VIEW
> >
> > This is the workflow for a ticket in this status:
> > new_accepted = new,needinfo, reopened -> accepted
> > new_accepted.default = 3
> > new_accepted.name = Accept.
> > new_accepted.permissions = TICKET_MODIFY
> > new_needinfo = new -> needinfo
> > new_needinfo.default = 1
> > new_needinfo.name = Requires more information and assign
> > new_needinfo.operations = set_owner
> > new_needinfo.permissions = TICKET_MODIFY
> > new_reassign = new -> new
> > new_reassign.default = 2
> > new_reassign.name = Reassign
> > new_reassign.operations = set_owner
> > new_reassign.permissions = TICKET_MODIFY
> > leave = * -> *
> > leave.default = 4
> > leave.name = Leave
> > leave.operations = leave_status
> > closed = new,needinfo,reopened,open -> closed
> > closed.default = 0
> > closed.name = Close
> > closed.operations = set_resolution
> > closed.permissions = TICKET_MODIFY
> > closed.set_resolution = wontfix,invalid,duplicate,limitation
> >
> > So, my question, am I missing something with Trac 1.0.2 to disallow
> users from changing the status of tickets other than their own?
> >
> > Thanks for any help,
> > Shawn
>
> The behavior you are seeing looks like what I'd expect for the
> configuration you've shown. There's nothing to limit the ticket workflow
> actions to tickets for which the user is the owner. That would require a
> plugin with a custom permissions policy. Nothing has changed in that regard
> since 0.11 as far as I know.  I'll post an example shortly.
>

First a side note. Your "new_accepted" action seems to be a "dead-end". You
don't show any actions that could move your ticket out of the accepted
state. Insert [[Workflow]] into a wiki page and you can see that there are
no transitions out of the accepted state with your workflow. There also
aren't any actions to move a ticket out of the closed state, e.g. reopen.

With the permission policy I'll propose, you'll need to define additional
workflow actions that would allow someone with higher permissions to deal
with tickets that don't have an owner, or have an owner that won't do any
work on the ticket. That is, unless you've configured your system to avoid
every one of these situations. For example, you may want to also allow
someone with TICKET_ADMIN to perform all the workflow action. Just append
TICKET_ADMIN to the permissions attribute of each workflow action you want
to allow, e.g.

new_reassign.permissions = TICKET_CHANGE_STATE, TICKET_ADMIN

To implement the permissions policy:

Add RestrictTicketActionsPolicy to the permission_policies in the [trac]
section of trac.ini: permission_policies = RestrictTicketActions,
DefaultPermissionPolicy, LegacyAttachmentPolicy

If you are using finer-grained policies such as AuthzPolicy, they may need
to go before RestrictTicketActions.

Grant TICKET_CHANGE_STATE to users that should be able to change the states
of tickets that they own. This might be all authenticated users.


Copy the following into a file named restrict_actions.py in your
environment or shared plugins directory:

# -*- coding: utf-8 -*-
#
# Copyright (C) 2014 Edgewall Software
# All rights reserved.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
# are also available at http://trac.edgewall.org/wiki/TracLicense.
#
# This software consists of voluntary contributions made by many
# individuals. For the exact contribution history, see the revision
# history and logs, available at http://trac.edgewall.org/log/.

from trac.core import *
from trac.perm import IPermissionPolicy, IPermissionRequestor
from trac.ticket.model import Ticket


class RestrictTicketActionsPolicy(Component):
    """Provides a permission for restricting ticket actions to the
    ticket owner.
    """

    implements(IPermissionPolicy, IPermissionRequestor)

    # IPermissionRequestor methods

    def get_permission_actions(self):
        return ['TICKET_CHANGE_STATE']

    # IPermissionPolicy methods

    def check_permission(self, action, username, resource, perm):
        if action == 'TICKET_CHANGE_STATE' \
                and resource is not None \
                and resource.realm == 'ticket' \
                and resource.id is not None:
            ticket = Ticket(self.env, resource.id)
            return ticket['owner'] == username
        return None

-- 
You received this message because you are subscribed to the Google Groups "Trac 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.

Reply via email to