Opened 10 years ago
Closed 9 years ago
#11976 closed defect (worksforme)
set_owner and permissions attributes do not grant permissions
Reported by: | csalgau | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | ticket system | Version: | 1.1dev |
Severity: | normal | Keywords: | workflow |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
Given something intuitive like
reassign.operations = set_owner reassign.set_owner = TICKET_APPEND reassign.permissions = TICKET_APPEND
a user is able to see the the proper user list and preview, but will actually receive
Warning: No permission to change ticket fields.
without TICKET_CHGPROP, which is not desirable in some environments.
Additionally, removing reassign.set_owner
will allow users to write a username, but still fail.
Also, with the new action.set_owner
attribute, action.permissions
feels redundant. I believe integrating action.set_owner
into the legacy attribute and adding an action.restrict_user
to enforce the drop-down would be a better choice (in that some environments may have very large user groups and would prefer the group/permission restrictions without the visible list) and could be done with no compatibility issues for 1.2.x.
Thanks.
Attachments (0)
Change History (2)
follow-up: 2 comment:1 by , 10 years ago
Milestone: | → next-dev-1.1.x |
---|
comment:2 by , 9 years ago
Milestone: | next-dev-1.1.x |
---|---|
Resolution: | → worksforme |
Status: | new → closed |
Replying to rjollos:
I've considered adding
restrict_owner
to the[ticket-workflow]
section, making it an action attribute that takes precedence over the[ticket] restrict_owner
setting. We could then restrict the allowed users using theset_owner
/owners
field without having a drop-down list. We could leave this ticket open for handling that feature request.
This will be investigated in #11856.
Replying to csalgau:
I created a user and granted the user only
TICKET_APPEND
andTICKET_VIEW
permissions. All permissions have been revoked from anonymous in the environment. Using the latest revision of the trunk (r13843) and your workflow snippet, the user is able to perform the reassign action. There have been many improvements and fixes to the Trac workflow lately, so you may need to update to a newer development version.The
set_owner
andpermissions
attributes have significantly different functions.reassign.set_owner = TICKET_APPEND
populates the assign to list with users having theTICKET_APPEND
permission.reassign.permissions = TICKET_APPEND
restricts the reassign action to users having theTICKET_APPEND
permission.The
set_owner
attribute is not new, however it's functionality has been expanded. The attribute is documented in 1.1/TracWorkflow. In #11856 I have proposed renaming the attribute toowners
.I've considered adding
restrict_owner
to the[ticket-workflow]
section, making it an action attribute that takes precedence over the[ticket] restrict_owner
setting. We could then restrict the allowed users using theset_owner
/owners
field without having a drop-down list. We could leave this ticket open for handling that feature request.