On Thu, Nov 20, 2014 at 6:16 AM, Ryan Ollos <[email protected]> wrote:
> > On Nov 20, 2014 5:49 AM, "Shawn Baker" <[email protected]> wrote: > > > > I recently upgraded from a Trac 0.11 server to 1.0.2. I am seeing what > I think is weird behavior for ticket permissions. > > > > I have a "new" ticket that my user submitted (user1). Trac is setup to > default the ticket ownership to a specific user (user2). So user1 is the > reporter, but and user2 is currently owner of this ticket. However, I have > the following ticket modification options available to user1: > > Leave as new The owner will remain user2. > > Accept. Next status will be 'accepted'. > > Reassign to <user drop down>. The owner will be changed from user2 to > the selected user. Next status will be 'new'. > > Requires more information and assign to <user drop down>. The owner will > be changed from user2 to the selected user. Next status will be 'needinfo'. > > Close as <resolution drop down>. The resolution will be set. Next status > will be 'closed'. > > > > These are the permissions for user1: > > TICKET_APPEND, TICKET_CHGPROP, TICKET_CREATE, TICKET_MODIFY, TICKET_VIEW > > > > This is the workflow for a ticket in this status: > > new_accepted = new,needinfo, reopened -> accepted > > new_accepted.default = 3 > > new_accepted.name = Accept. > > new_accepted.permissions = TICKET_MODIFY > > new_needinfo = new -> needinfo > > new_needinfo.default = 1 > > new_needinfo.name = Requires more information and assign > > new_needinfo.operations = set_owner > > new_needinfo.permissions = TICKET_MODIFY > > new_reassign = new -> new > > new_reassign.default = 2 > > new_reassign.name = Reassign > > new_reassign.operations = set_owner > > new_reassign.permissions = TICKET_MODIFY > > leave = * -> * > > leave.default = 4 > > leave.name = Leave > > leave.operations = leave_status > > closed = new,needinfo,reopened,open -> closed > > closed.default = 0 > > closed.name = Close > > closed.operations = set_resolution > > closed.permissions = TICKET_MODIFY > > closed.set_resolution = wontfix,invalid,duplicate,limitation > > > > So, my question, am I missing something with Trac 1.0.2 to disallow > users from changing the status of tickets other than their own? > > > > Thanks for any help, > > Shawn > > The behavior you are seeing looks like what I'd expect for the > configuration you've shown. There's nothing to limit the ticket workflow > actions to tickets for which the user is the owner. That would require a > plugin with a custom permissions policy. Nothing has changed in that regard > since 0.11 as far as I know. I'll post an example shortly. > First a side note. Your "new_accepted" action seems to be a "dead-end". You don't show any actions that could move your ticket out of the accepted state. Insert [[Workflow]] into a wiki page and you can see that there are no transitions out of the accepted state with your workflow. There also aren't any actions to move a ticket out of the closed state, e.g. reopen. With the permission policy I'll propose, you'll need to define additional workflow actions that would allow someone with higher permissions to deal with tickets that don't have an owner, or have an owner that won't do any work on the ticket. That is, unless you've configured your system to avoid every one of these situations. For example, you may want to also allow someone with TICKET_ADMIN to perform all the workflow action. Just append TICKET_ADMIN to the permissions attribute of each workflow action you want to allow, e.g. new_reassign.permissions = TICKET_CHANGE_STATE, TICKET_ADMIN To implement the permissions policy: Add RestrictTicketActionsPolicy to the permission_policies in the [trac] section of trac.ini: permission_policies = RestrictTicketActions, DefaultPermissionPolicy, LegacyAttachmentPolicy If you are using finer-grained policies such as AuthzPolicy, they may need to go before RestrictTicketActions. Grant TICKET_CHANGE_STATE to users that should be able to change the states of tickets that they own. This might be all authenticated users. Copy the following into a file named restrict_actions.py in your environment or shared plugins directory: # -*- coding: utf-8 -*- # # Copyright (C) 2014 Edgewall Software # All rights reserved. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms # are also available at http://trac.edgewall.org/wiki/TracLicense. # # This software consists of voluntary contributions made by many # individuals. For the exact contribution history, see the revision # history and logs, available at http://trac.edgewall.org/log/. from trac.core import * from trac.perm import IPermissionPolicy, IPermissionRequestor from trac.ticket.model import Ticket class RestrictTicketActionsPolicy(Component): """Provides a permission for restricting ticket actions to the ticket owner. """ implements(IPermissionPolicy, IPermissionRequestor) # IPermissionRequestor methods def get_permission_actions(self): return ['TICKET_CHANGE_STATE'] # IPermissionPolicy methods def check_permission(self, action, username, resource, perm): if action == 'TICKET_CHANGE_STATE' \ and resource is not None \ and resource.realm == 'ticket' \ and resource.id is not None: ticket = Ticket(self.env, resource.id) return ticket['owner'] == username return None -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
