Permission issue with TICKET_MODIFY

[anonymous]

Hi, guys.

Package     Version
Trac        1.0.1
Docutils    0.10
Genshi      0.6 (with speedups)
mod_wsgi    3.3
MySQL       server: "5.1.66-0+squeeze1-log", client: "5.1.66", thread-safe: 1
MySQLdb     1.2.2
Pygments    1.6
Python      2.6.6 (r266:84292, Dec 26 2010, 22:48:11) [GCC 4.4.5]
RPC         1.1.2-r12546
setuptools  0.6
jQuery      1.8.3

We have an authenticated group with these permissions:

• TICKET_APPEND
• TICKET_CREATE
• TICKET_EDIT_CC
• VOTE_MODIFY
• VOTE_VIEW

Yet the user who created the ticket can close and reopen it. Is this a configuration issue or a bug or a feature?

Thanks in advance!

[Ryan J Ollos <ryan.j.ollos@…>]

These questions are more appropriate for the MailingList. However, I tested with Trac 1.0.1 just to be sure, and an authenticated user will not be able to perform a workflow action if the authenticated user has only the TICKET_* permissions that you list. In fact, the authenticated user can't even view the ticket unless you also grant TICKET_VIEW (otherwise you will see The ticket #X has been created, but you don't have permission to view it.).

With TICKET_VIEW also granted, we have:

(t11079)user@debian-wheezy:~/Workspace/t11079$ trac-admin tracdev permission list authenticated

User           Action        
-----------------------------
authenticated  TICKET_APPEND 
authenticated  TICKET_CREATE 
authenticated  TICKET_EDIT_CC
authenticated  TICKET_VIEW   

(t11079)user@debian-wheezy:~/Workspace/t11079$ trac-admin tracdev permission list anonymous

User  Action
------------

Here are some possibilities for the issue you are experiencing:

• anonymous has TICKET_MODIFY or higher permission.
• You have TracFineGrainedPermissions policies in place.
• You are running a plugin that modifies the permission policies.

If you direct your question to the MailingList you will have a bigger audience and more help in solving your issue.