Edgewall Software
Modify

Opened 2 months ago

Closed 2 months ago

Last modified 2 months ago

#13210 closed defect (worksforme)

Can't re-add BROWSER_VIEW permission

Reported by: austin.france@… Owned by:
Priority: normal Milestone:
Component: admin/web Version: 1.2.2
Severity: normal Keywords: needinfo
Cc: Branch:
Release Notes:
API Changes:

Description

I used the Admin page to remove BROWSER_VIEW permission from anonymous.

Having decided that is not what I wanted to do, I now want to add it back.

However, In Administration → Permissions → Grant Permissions

The drop down does not include BROWSER_VIEW as an option to re-add the permission.

Attachments (2)

trac.log (26.6 KB ) - added by anonymous 2 months ago.
trac-bug.png (92.4 KB ) - added by austin.france@… 2 months ago.
Steps to reproduce

Download all attachments as: .zip

Change History (10)

comment:1 by anonymous, 2 months ago

Summary: Can't re-add BROWSER_VIEW privilegesCan't re-add BROWSER_VIEW permission

comment:2 by anonymous, 2 months ago

I have worked around the issue using

/var/trac$ trac-admin . permission add anonymous BROWSER_VIEW

comment:3 by Ryan J Ollos, 2 months ago

Keywords: needinfo added
Priority: highnormal

The permission would only be missing if the BrowserModule was disabled (or failed to load due to an error). If the BrowserModule is disabled, the permission will be grayed-out in the permission listing.

Are you able to access the Browse Source main navigation item and view repositories?

Are any other permissions missing from the dropdown menu? See TracPermissions. Or compare the menu with the output Available actions from trac-admin $ENV permission list.

Please attach the log after setting log level to debug and restarting Trac: TracTroubleshooting#ChecktheLogs

Last edited 2 months ago by Ryan J Ollos (previous) (diff)

by anonymous, 2 months ago

Attachment: trac.log added

comment:5 by austin.france@…, 2 months ago

After removing BROWSER_VIEW from anonymous in admin panel:

User                        Action
--------------------------------------------
Austin.France@************  admin
admin                       PERMISSION_ADMIN
anonymous                   CHANGESET_VIEW
anonymous                   FILE_VIEW
anonymous                   LOG_VIEW
anonymous                   MILESTONE_VIEW
anonymous                   REPORT_SQL_VIEW
anonymous                   REPORT_VIEW
anonymous                   ROADMAP_VIEW
anonymous                   SEARCH_VIEW
anonymous                   TICKET_VIEW
anonymous                   TIMELINE_VIEW
anonymous                   WIKI_VIEW
authenticated               PERMISSION_ADMIN
authenticated               TICKET_CREATE
authenticated               TICKET_MODIFY
authenticated               WIKI_CREATE
authenticated               WIKI_MODIFY


Available actions:
 BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW,
 LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE,
 MILESTONE_MODIFY, MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT,
 PERMISSION_REVOKE, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE,
 REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW,
 SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_BATCH_MODIFY,
 TICKET_CHGPROP, TICKET_CREATE, TICKET_EDIT_CC, TICKET_EDIT_COMMENT,
 TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW, TIMELINE_VIEW,
 TRAC_ADMIN, VERSIONCONTROL_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE,
 WIKI_MODIFY, WIKI_RENAME, WIKI_VIEW
Last edited 2 months ago by Ryan J Ollos (previous) (diff)

by austin.france@…, 2 months ago

Attachment: trac-bug.png added

Steps to reproduce

comment:6 by Ryan J Ollos, 2 months ago

Resolution: worksforme
Status: newclosed

With PERMISSION_ADMIN, you can only grant and revoke permissions you've been granted. This is to prevent users from elevating their own permissions. In the extreme case a user could grant themselves TRAC_ADMIN. See the last paragraph of TracPermissions#GraphicalAdminTab.

It's intended that a user with PERMISSION_ADMIN should not modify their own permissions, rather just manage the permissions of other users.

comment:7 by Ryan J Ollos, 2 months ago

See also #13209. The behavior was recently discussed on the mailing list, with a reference to the topic in that issue.

comment:8 by anonymous, 2 months ago

Ok, but doesn't PERMISSION_ADMIN include BROWSER_VIEW permission?

Admin can certainly browse, even when BROWSER_VIEW is removed from anonymous.

I am not trying to modify my own permissions, but, as admin, that of the anonymous user.

comment:9 by Ryan J Ollos, 2 months ago

TRAC_ADMIN grants BROWSER_VIEW. TRAC_ADMIN is a meta-permission that grants all other permissions.

PERMISSION_ADMIN grants only PERMISSION_GRANT and PERMISSION_REVOKE.

Last edited 2 months ago by Ryan J Ollos (previous) (diff)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.
to as closed The owner will be changed from (none) to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.