Opened 19 years ago
Closed 17 years ago
#2357 closed defect (worksforme)
restrict_owner lists too many users
| Reported by: | Owned by: | Jonas Borgström | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | ticket system | Version: | 0.9 |
| Severity: | normal | Keywords: | documentation |
| Cc: | nunterberg@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
According to the documentation (see TracTickets), the restict_owner ini setting should add all users that have entered their name and e-mail address. Hoever, the drop-down list on the ticket page lists all users that have ever authenticated, even if they never went to the settings page.
I have entered the query used by the get_known_users function in env.py directly in SQLite (version 3.2.2), and the result is a list with all users, no matter if they entered their e-mail or not. The nested query seems to be failing.
This might look related to #2351 and #1347, but I think it is different.
Attachments (0)
Change History (12)
comment:1 by , 19 years ago
comment:2 by , 19 years ago
| Cc: | added |
|---|
comment:3 by , 19 years ago
get_known_users' docstring reads as follows:
"""Generator that yields information about all known users, i.e. users that have logged in to this Trac environment and possibly set their name and email. [...] """
So, this is rather a mistake in the TracTickets documentation than in the function itself.
comment:4 by , 19 years ago
However, I would prefer to have the get_known_users' function and docstring corrected and not the wiki documenation, because it makes more sense (at least for us) to allow only users with e-mail addresses as ticket owners.
comment:5 by , 19 years ago
Well, after looking through the source it seems like all functions that make use of get_known_users() drop all the users without a name and email set up in the session table (except ticket.api).
However, I'd prefer to leave get_known_users() untouched and …
1) change ticket.api like this:
-
trac/ticket/api.py
57 57 field['type'] = 'select' 58 58 users = [] 59 59 for username, name, email in self.env.get_known_users(db): 60 users.append(username) 60 if name and email: 61 users.append(username) 61 62 field['options'] = users 62 63 field['optional'] = True 63 64 else:
2) enhance WebAdmin in the way that it can enumerate and delete old user information. See #1347.
comment:6 by , 19 years ago
| Milestone: | 0.9.1 → 0.9.2 |
|---|
comment:8 by , 18 years ago
| Keywords: | documentation added |
|---|
restrict_owner now only shows authenticated Trac users that have TICKET_MODIFY permission.
TracTickets still has conflicting information on the TracTickets section.
If the list of possible ticket owners is finite, you can change the assign-to ticket field from a text input to a drop-down list. This is done by setting the restrict_owner option of the [ticket] section in trac.ini to “true”. In that case, Trac will use the list of all users who have logged in and set their email address to populate the drop-down field.
and then:
To appear in the dropdown list, a user needs be registered with the project, i.e. a user session should exist in the database. Such an entry is automatically created in the database the first time the user submits a change in the project, for example when editing the user's details in the Settings page. Also, the user must have TICKET_MODIFY permissions.
comment:9 by , 18 years ago
Oops, appears that the conflicting documentation is already being addressed in #2887.
follow-up: 12 comment:10 by , 18 years ago
| Keywords: | restrict_owner removed |
|---|
comment:11 by , 17 years ago
Discussing user need for restrict_owner and ticket assignment. In my organization we want to be able to assign ticket to any developer (trac user that does work) but we don't want anyone being able to change ticket proprieties like milestone. So using another or a new permission (or a completly different way but permission) to filter the list of possible owner seems more appropriate.
comment:12 by , 17 years ago
| Milestone: | 1.0 |
|---|---|
| Resolution: | → worksforme |
| Status: | new → closed |
Replying to sid:
Proposing to close this as
wontfixbased on comment:8 and comment:9
Agree on closing, but suppose it will be worksforme relative to the original proposal as the feature has been much improved since the ticket was created? I have also touched up that conflicting wiki docs a little.
As for the last comment above, with Trac 0.11 there are ways to do this via plugins. The most natural would be to make a new Permission Policy plugin (TracDev/SecurityBranch) for fine-grained permissions to TICKET_MODIFY - make your own criteria for who should have permission or not. See source:trunk/sample-plugins/permissions for examples.
It seems that using
INNER JOINinstead ofLEFT JOINdoes fix it.