restrict_owner lists too many users

[Norbert Unterberg <nunterberg@…>]

According to the documentation (see TracTickets), the restict_owner ini setting should add all users that have entered their name and e-mail address. Hoever, the drop-down list on the ticket page lists all users that have ever authenticated, even if they never went to the settings page.

I have entered the query used by the get_known_users function in env.py directly in SQLite (version 3.2.2), and the result is a list with all users, no matter if they entered their e-mail or not. The nested query seems to be failing.

This might look related to #2351 and #1347, but I think it is different.

[Norbert Unterberg <nunterberg@…>]

It seems that using INNER JOIN instead of LEFT JOIN does fix it.

[markus]

get_known_users' docstring reads as follows:

"""Generator that yields information about all known users, i.e. users
that have logged in to this Trac environment and possibly set their name
and email.
	
[...]
	
"""

So, this is rather a mistake in the TracTickets documentation than in the function itself.

[Norbert Unterberg <nunterberg@…>]

However, I would prefer to have the get_known_users' function and docstring corrected and not the wiki documenation, because it makes more sense (at least for us) to allow only users with e-mail addresses as ticket owners.

[markus]

Well, after looking through the source it seems like all functions that make use of get_known_users() drop all the users without a name and email set up in the session table (except ticket.api).

However, I'd prefer to leave get_known_users() untouched and ...

1) change ticket.api like this:

trac/ticket/api.py

@@ -57 +57 @@
             field['type'] = 'select'
             users = []
             for username, name, email in self.env.get_known_users(db):
-                users.append(username)
+                if name and email:
+                    users.append(username)
             field['options'] = users
             field['optional'] = True
         else:

2) enhance WebAdmin in the way that it can enumerate and delete old user information. See #1347.

[cmlenz]

Later.

[sid]

restrict_owner now only shows authenticated Trac users that have TICKET_MODIFY permission.

TracTickets still has conflicting information on the TracTickets#Assign-toasDrop-DownList section.

If the list of possible ticket owners is finite, you can change the assign-to ticket field from a text input to a drop-down list. This is done by setting the restrict_owner option of the [ticket] section in trac.ini to “true”. In that case, Trac will use the list of all users who have logged in and set their email address to populate the drop-down field.

and then:

To appear in the dropdown list, a user needs be registered with the project, i.e. a user session should exist in the database. Such an entry is automatically created in the database the first time the user submits a change in the project, for example when editing the user's details in the Settings page. Also, the user must have TICKET_MODIFY permissions.

[sid]

Oops, appears that the conflicting documentation is already being addressed in #2887.

[sid]

Proposing to close this as wontfix based on comment:8 and comment:9

[jpjoyal@…]

Discussing user need for restrict_owner and ticket assignment. In my organization we want to be able to assign ticket to any developer (trac user that does work) but we don't want anyone being able to change ticket proprieties like milestone. So using another or a new permission (or a completly different way but permission) to filter the list of possible owner seems more appropriate.

[osimons]

Replying to sid:

Proposing to close this as wontfix based on comment:8 and comment:9

Agree on closing, but suppose it will be worksforme relative to the original proposal as the feature has been much improved since the ticket was created? I have also touched up that conflicting wiki docs a little.

As for the last comment above, with Trac 0.11 there are ways to do this via plugins. The most natural would be to make a new Permission Policy plugin (TracDev/SecurityBranch) for fine-grained permissions to TICKET_MODIFY - make your own criteria for who should have permission or not. See source:trunk/sample-plugins/permissions for examples.