Context Navigation

Modify ↓

#3466 closed enhancement (duplicate)

Restrict users from seeing tickets that are not their own

Reported by:	tdussa@…	Owned by:	Jonas Borgström
Priority:	normal	Milestone:
Component:	ticket system	Version:	0.9.6
Severity:	normal	Keywords:
Cc:	shishz@…	Branch:
Release Notes:
API Changes:
Internal Changes:

Description

We'd like to prohibit users from seeing tickets that they did not report. (Obviously, some users with proper permissions would need to be exempt from this rule.)

I believe that this can be done if users come through the reporting facility by disallowing users to create their own custom queries and offering only queries which contain SQL statements to the desired effect.

However, as far as I see, this will not prevent users from looking up tickets directly with the proper URL.

Would there be an easy way to implement such a privilege?

Attachments (0)

Change History (6)

comment:1 by Christian Boos, 18 years ago

Milestone:	→ 0.11

The WorkFlow and PermissionPolicy sandboxes provide capabilities which would make this possible. However, this comes up so frequently that I think we should consider having a simple configuration setting part of the core ticket module, for implementing this behavior.

comment:2 by anonymous, 18 years ago

Cc:	shishz@… added

comment:3 by Noah Kantrowitz (coderanger) <coderanger@…>, 18 years ago

Resolution:	→ worksforme
Status:	new → closed

This is implemented in the PrivateTickets plugin.

comment:4 by Christian Boos, 18 years ago

Resolution:	worksforme
Status:	closed → reopened

Well, like I said in comment:1, I also would like to have this capability in Trac core, using a:

[tickets]
private_tickets = true

setting or something similar (with no additional permissions setup required). Only the developers (those with TICKET_ADMIN privilege) would be able to see all tickets, regardless of who's the reporter.

This will be useful for Trac setups in commercial environments and I think this should come out-of-the-box with minimal setup required.

comment:5 by Christian Boos, 18 years ago

See related #2393, where it's the same problematic but for the 'TICKET_APPEND' privilege.

comment:6 by Christian Boos, 18 years ago

Milestone:	0.11
Resolution:	→ duplicate
Status:	reopened → closed

This is actually a duplicate of #1316.

Modify Ticket

Change Properties

Summary:
Description:	We'd like to prohibit users from seeing tickets that they did not report. (Obviously, some users with proper permissions would need to be exempt from this rule.) I believe that this can be done if users come through the reporting facility by disallowing users to create their own custom queries and offering only queries which contain SQL statements to the desired effect. However, as far as I see, this will not prevent users from looking up tickets directly with the proper URL. Would there be an easy way to implement such a privilege? You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Jonas Borgström.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Jonas Borgström to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: