Edgewall Software

Opened 4 years ago

Last modified 4 years ago

#13316 closed defect

TICKET_CHG_MILESTONE doesn't always restrict changing milestone — at Version 1

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Milestone: 1.4.3
Component: ticket system Version:
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Ryan J Ollos)

Noted in gmessage:trac-users:hdQ8IaZYnGc/W7wFxeNhBgAJ, a user can still change the ticket milestone when:

  1. TICKET_CHG_MILESTONE is defined in [extra-permissions].
  2. The user hasn't been granted TICKET_CHG_MILESTONE
  3. The user has been granted MILESTONE_VIEW

TICKET_CHG_MILESTONE was implemented in #8778.

Change History (1)

comment:1 by Ryan J Ollos, 4 years ago

Description: modified (diff)

[982144ae2/rjollos.git] is a draft of the change. Needs test coverage. We should consider adding PermissionSystem.get_actions() as a cached property of PermissionSystem.

The fix can be applied to earlier versions of Trac by replacing DefaultTicketPolicy with the modified policy.

With the change, we fall through to checking whether the user has been granted TICKET_CHG_MILESTONE when the action is defined in trac.ini: 

[extra-permissions]
_perms = TICKET_CHG_MILESTONE
Note: See TracTickets for help on using tickets.