Context Navigation

Modify ↓

#13316 closed defect (fixed)

TICKET_CHG_MILESTONE doesn't restrict changing milestone

Reported by:	Ryan J Ollos	Owned by:	Ryan J Ollos
Priority:	normal	Milestone:	1.4.3
Component:	ticket system	Version:
Severity:	normal	Keywords:
Cc:		Branch:
Release Notes:	Fixed `TICKET_CHG_MILESTONE` not restricting ability to change the ticket milestone when `TICKET_CHG_MILESTONE` defined in `[extra-permissions]`.
API Changes:	Added lazily-evaluated `PermissionSystem.actions` property.
Internal Changes:

Description (last modified by Ryan J Ollos)

Noted in gmessage:trac-users:hdQ8IaZYnGc/W7wFxeNhBgAJ, a user can still change the ticket milestone when:

TICKET_CHG_MILESTONE is defined in [extra-permissions].
The user hasn't been granted TICKET_CHG_MILESTONE
The user has been granted MILESTONE_VIEW

TICKET_CHG_MILESTONE was implemented in #8778.

Attachments (0)

Change History (3)

comment:1 by Ryan J Ollos, 4 years ago

Description:	modified (diff)

[982144ae2/rjollos.git] is a draft of the change. Needs test coverage. We should consider adding PermissionSystem.get_actions() as a cached property of PermissionSystem.

The fix can be applied to earlier versions of Trac by replacing DefaultTicketPolicy with the modified policy.

With the change, we fall through to checking whether the user has been granted TICKET_CHG_MILESTONE when the action is defined in trac.ini:

[extra-permissions]
_perms = TICKET_CHG_MILESTONE

comment:2 by Ryan J Ollos, 4 years ago

Proposed changes in log:rjollos.git:t13316_ticket_change_milestone.

Last edited 4 years ago by Ryan J Ollos (previous) (diff)

comment:3 by Ryan J Ollos, 4 years ago

API Changes:	modified (diff)
Release Notes:	modified (diff)
Resolution:	→ fixed
Status:	assigned → closed
Summary:	TICKET_CHG_MILESTONE doesn't always restrict changing milestone → TICKET_CHG_MILESTONE doesn't restrict changing milestone

Committed to 1.4-stable in r17478, merged to trunk in r17479.

Modify Ticket

Change Properties

Summary:
Description:	Noted in gmessage:trac-users:hdQ8IaZYnGc/W7wFxeNhBgAJ, a user can still change the ticket milestone when: 1. `TICKET_CHG_MILESTONE` is defined in `[extra-permissions]`. 1. The user hasn't been granted `TICKET_CHG_MILESTONE` 1. The user has been granted `MILESTONE_VIEW` `TICKET_CHG_MILESTONE` was implemented in #8778. You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:	Fixed `TICKET_CHG_MILESTONE` not restricting ability to change the ticket milestone when `TICKET_CHG_MILESTONE` defined in `[extra-permissions]`.
API Changes:	Added lazily-evaluated `PermissionSystem.actions` property.
Internal Changes:

Action

leave as closed The owner will remain Ryan J Ollos.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Ryan J Ollos to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: