In another thread (1) we've been discussing various iterations of
SupportDeskPolicy (2).
I consider the following to be the most intuitive behavior:
* Users having TICKET_VIEW can see all tickets
* Users having TICKET_VIEW_REPORTED (and not having TICKET_VIEW) can only
see tickets they report
Previous iterations of the plugin were non-intuitive in having the
following behavior:
* Users with TICKET_VIEW can see all tickets
* Users with TICKET_VIEW and TICKET_VIEW_REPORTED can only see tickets they
report
We also need things like search filters to be present for users with
TICKET_VIEW_REPORTED. For that to happen, these "coarse-grained" checks
must return true for a user that has TICKET_VIEW_REPORTED and doesn't have
TICKET_VIEW:
'TICKET_VIEW' in req.perm
'TICKET_VIEW' in req.perm('ticket')
Therefore, I propose the following, which seems to work in the limited
testing I've done. An unintended, but likely desirable effect of the
implementation, a user with TICKET_VIEW and TICKET_VIEW_REPORTED can only
see tickets they reported. Effectively, having TICKET_VIEW_REPORTED causes
the check for TICKET_VIEW in DefaultPermissionPolicy to be skipped entirely.
# -*- coding: utf-8 -*-
#
# Copyright (C) 2017 Edgewall Software
# All rights reserved.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
# are also available at http://trac.edgewall.org/wiki/TracLicense.
#
# This software consists of voluntary contributions made by many
# individuals. For the exact contribution history, see the revision
# history and logs, available at http://trac.edgewall.org/log/.
from trac.core import *
from trac.perm import IPermissionPolicy, IPermissionRequestor
from trac.resource import ResourceNotFound
from trac.ticket.model import Ticket
class SupportDeskPolicy(Component):
"""Provides a permission for restricting ticket actions to the
ticket owner.
"""
implements(IPermissionPolicy, IPermissionRequestor)
# IPermissionRequestor methods
def get_permission_actions(self):
return ['TICKET_VIEW_REPORTED']
# IPermissionPolicy methods
def check_permission(self, action, username, resource, perm):
if action == 'TICKET_VIEW' and \
'TICKET_ADMIN' not in perm:
if 'TICKET_VIEW_REPORTED' in perm:
if resource is None or \
resource.realm == 'ticket' and \
resource.id is None:
return True
elif resource.realm == 'ticket' and \
resource.id is not None:
try:
ticket = Ticket(self.env, resource.id)
except ResourceNotFound:
pass
else:
return ticket['reporter'] == username
[End of Code]
- Ryan
(1) https://groups.google.com/forum/#!topic/trac-users/sneow4NJ7lM
(2)
https://trac.edgewall.org/wiki/CookBook/PermissionPolicies#SupportDeskPolicy
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/trac-users.
For more options, visit https://groups.google.com/d/optout.
