Edgewall Software
Modify

Opened 5 years ago

Closed 5 years ago

#11976 closed defect (worksforme)

set_owner and permissions attributes do not grant permissions

Reported by: csalgau Owned by:
Priority: normal Milestone:
Component: ticket system Version: 1.1dev
Severity: normal Keywords: workflow
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Given something intuitive like

reassign.operations = set_owner
reassign.set_owner = TICKET_APPEND
reassign.permissions = TICKET_APPEND

a user is able to see the the proper user list and preview, but will actually receive

Warning: No permission to change ticket fields.

without TICKET_CHGPROP, which is not desirable in some environments. Additionally, removing reassign.set_owner will allow users to write a username, but still fail.

Also, with the new action.set_owner attribute, action.permissions feels redundant. I believe integrating action.set_owner into the legacy attribute and adding an action.restrict_user to enforce the drop-down would be a better choice (in that some environments may have very large user groups and would prefer the group/permission restrictions without the visible list) and could be done with no compatibility issues for 1.2.x. Thanks.

Attachments (0)

Change History (2)

in reply to:  description ; comment:1 by Ryan J Ollos, 5 years ago

Milestone: next-dev-1.1.x

Replying to csalgau:

Given something intuitive like

reassign.operations = set_owner
reassign.set_owner = TICKET_APPEND
reassign.permissions = TICKET_APPEND

a user is able to see the the proper user list and preview, but will actually receive

Warning: No permission to change ticket fields.

without TICKET_CHGPROP, which is not desirable in some environments. Additionally, removing reassign.set_owner will allow users to write a username, but still fail.

I created a user and granted the user only TICKET_APPEND and TICKET_VIEW permissions. All permissions have been revoked from anonymous in the environment. Using the latest revision of the trunk (r13843) and your workflow snippet, the user is able to perform the reassign action. There have been many improvements and fixes to the Trac workflow lately, so you may need to update to a newer development version.

Also, with the new action.set_owner attribute, action.permissions feels redundant. I believe integrating action.set_owner into the legacy attribute and adding an action.restrict_user to enforce the drop-down would be a better choice

The set_owner and permissions attributes have significantly different functions. reassign.set_owner = TICKET_APPEND populates the assign to list with users having the TICKET_APPEND permission. reassign.permissions = TICKET_APPEND restricts the reassign action to users having the TICKET_APPEND permission.

The set_owner attribute is not new, however it's functionality has been expanded. The attribute is documented in 1.1/TracWorkflow. In #11856 I have proposed renaming the attribute to owners.

(in that some environments may have very large user groups and would prefer the group/permission restrictions without the visible list) and could be done with no compatibility issues for 1.2.x.

I've considered adding restrict_owner to the [ticket-workflow] section, making it an action attribute that takes precedence over the [ticket] restrict_owner setting. We could then restrict the allowed users using the set_owner / owners field without having a drop-down list. We could leave this ticket open for handling that feature request.

Last edited 5 years ago by Ryan J Ollos (previous) (diff)

in reply to:  1 comment:2 by Ryan J Ollos, 5 years ago

Milestone: next-dev-1.1.x
Resolution: worksforme
Status: newclosed

Replying to rjollos:

I've considered adding restrict_owner to the [ticket-workflow] section, making it an action attribute that takes precedence over the [ticket] restrict_owner setting. We could then restrict the allowed users using the set_owner / owners field without having a drop-down list. We could leave this ticket open for handling that feature request.

This will be investigated in #11856.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from (none) to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.