Edgewall Software
Modify

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#11335 closed enhancement (fixed)

Error message from trac-admin is ambiguous when permission can't be removed

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Milestone: 1.0.2
Component: admin/console Version: 1.0-stable
Severity: normal Keywords: permissions
Cc: Branch:
Release Notes:

Error message from trac-admin permission remove describes when a permission can't be revoked because it is granted through a meta-permission or group.

API Changes:
Internal Changes:

Description

The following was discussed this evening on IRC. Suppose I have a default Trac installation and assign an arbitrarily-chosen permission to a new user:

$ trac-admin tracdev permission add user1 WIKI_DELETE

Listing the permissions for that user, it appears they have WIKI_VIEW:

$ trac-admin ../tracdev permission list user1

User   Action                 
------------------------------
user1  BROWSER_VIEW           
user1  CHANGESET_VIEW         
user1  CONFIG_VIEW            
user1  EMAIL_VIEW             
user1  FILE_VIEW              
user1  LOG_VIEW               
user1  MILESTONE_ADMIN        
user1  MILESTONE_CREATE       
user1  MILESTONE_DELETE       
user1  MILESTONE_MODIFY       
user1  MILESTONE_VIEW         
user1  PERMISSION_ADMIN       
user1  PERMISSION_GRANT       
user1  PERMISSION_REVOKE      
user1  REPORT_ADMIN           
user1  REPORT_CREATE          
user1  REPORT_DELETE          
user1  REPORT_MODIFY          
user1  REPORT_SQL_VIEW        
user1  REPORT_VIEW            
user1  ROADMAP_ADMIN          
user1  ROADMAP_VIEW           
user1  SEARCH_VIEW            
user1  TICKET_ADMIN           
user1  TICKET_APPEND          
user1  TICKET_BATCH_MODIFY    
user1  TICKET_CHGPROP         
user1  TICKET_CREATE          
user1  TICKET_EDIT_CC         
user1  TICKET_EDIT_COMMENT    
user1  TICKET_EDIT_DESCRIPTION
user1  TICKET_MODIFY          
user1  TICKET_VIEW            
user1  TIMELINE_VIEW          
user1  TRAC_ADMIN             
user1  VERSIONCONTROL_ADMIN   
user1  WIKI_ADMIN             
user1  WIKI_CREATE            
user1  WIKI_DELETE            
user1  WIKI_MODIFY            
user1  WIKI_RENAME            
user1  WIKI_VIEW              

However, it is not possible to remove the permission:

$ trac-admin ../tracdev permission remove user1 WIKI_VIEW
Error: Cannot remove permission WIKI_VIEW for user user1.

This is because the permission is assigned to the anonymous group:

$ trac-admin ../tracdev permission list anonymous

User       Action                 
----------------------------------
anonymous  BROWSER_VIEW           
anonymous  CHANGESET_VIEW         
anonymous  CONFIG_VIEW            
anonymous  EMAIL_VIEW             
anonymous  FILE_VIEW              
anonymous  LOG_VIEW               
anonymous  MILESTONE_ADMIN        
anonymous  MILESTONE_CREATE       
anonymous  MILESTONE_DELETE       
anonymous  MILESTONE_MODIFY       
anonymous  MILESTONE_VIEW         
anonymous  PERMISSION_ADMIN       
anonymous  PERMISSION_GRANT       
anonymous  PERMISSION_REVOKE      
anonymous  REPORT_ADMIN           
anonymous  REPORT_CREATE          
anonymous  REPORT_DELETE          
anonymous  REPORT_MODIFY          
anonymous  REPORT_SQL_VIEW        
anonymous  REPORT_VIEW            
anonymous  ROADMAP_ADMIN          
anonymous  ROADMAP_VIEW           
anonymous  SEARCH_VIEW            
anonymous  TICKET_ADMIN           
anonymous  TICKET_APPEND          
anonymous  TICKET_BATCH_MODIFY    
anonymous  TICKET_CHGPROP         
anonymous  TICKET_CREATE          
anonymous  TICKET_EDIT_CC         
anonymous  TICKET_EDIT_COMMENT    
anonymous  TICKET_EDIT_DESCRIPTION
anonymous  TICKET_MODIFY          
anonymous  TICKET_VIEW            
anonymous  TIMELINE_VIEW          
anonymous  TRAC_ADMIN             
anonymous  VERSIONCONTROL_ADMIN   
anonymous  WIKI_ADMIN             
anonymous  WIKI_CREATE            
anonymous  WIKI_DELETE            
anonymous  WIKI_MODIFY            
anonymous  WIKI_RENAME            
anonymous  WIKI_VIEW              

We should at least try to provide an indication of why the permission can't be removed from the user

Attachments (0)

Change History (4)

comment:1 by Ryan J Ollos, 7 years ago

Keywords: permissions added
Milestone: next-stable-1.0.x

I proposed a simple way to provide a better error message in log:rjollos.git:t11335. It would be ideal to tell the user which meta-permissions or groups are granting the permission that the user is attempting to revoke, but that will require quite a bit more code, so I'll leave that for future work.

in reply to:  1 comment:2 by Jun Omae, 7 years ago

Replying to rjollos:

I proposed a simple way to provide a better error message in log:rjollos.git:t11335.

At least, in Japanese (maybe also Chinese), sentences are not concatenated with spaces. I would like to be the following while it might be verbose.

  • trac/perm.py

    diff --git a/trac/perm.py b/trac/perm.py
    index 3687abf..cb09f87 100644
    a b class PermissionAdmin(Component):  
    685685                    permsys.revoke_permission(u, a)
    686686                    found = True
    687687            if not found:
    688                 msg = _("Cannot remove permission %(action)s for user %(user)s.",
    689                         action=action, user=user)
    690688                if user in self.get_user_list() and \
    691689                        action in permsys.get_user_permissions(user):
    692                     raise AdminCommandError(msg + " " +
    693                         _("The permission %(action)s is granted through "
    694                           "a meta-permission or group.", action=action)
    695                     )
    696                 raise AdminCommandError(msg)
     690                    msg = _("Cannot remove permission %(action)s for user "
     691                            "%(user)s. The permission %(action)s is granted "
     692                            "through a meta-permission or group.",
     693                            action=action, user=user)
     694                else:
     695                    msg = _("Cannot remove permission %(action)s for user "
     696                            "%(user)s.", action=action, user=user)
     697            raise AdminCommandError(msg)
    697698
    698699    def _do_export(self, filename=None):
    699700        try:

comment:3 by Ryan J Ollos, 7 years ago

Milestone: next-stable-1.0.x1.0.2
Release Notes: modified (diff)
Resolution: fixed
Status: newclosed
Version: 1.0-stable

Thanks, I had doubts about the space but forgot to ask about it. Committed to 1.0-stable in [12229] and merged to trunk in [12230].

comment:4 by Jun Omae, 7 years ago

Owner: set to Ryan J Ollos

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Ryan J Ollos to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.