Edgewall Software
Modify

Opened 9 years ago

Last modified 20 months ago

#8653 new enhancement

[PATCH] Don't allow anonymous users to modify some fields

Reported by: Steven R. Loomis <srl@…> Owned by:
Priority: normal Milestone: unscheduled
Component: ticket system Version: 0.11.5
Severity: normal Keywords: patch permissionpolicy
Cc: hju@…, mmitar@…, Thijs Triemstra, Ryan J Ollos
Release Notes:
API Changes:

Description

This patch lets you set a comma separated list of fields that won't be visible at /newticket time to users without TICKET_MODIFY status.

Included is a bonus exception check we received when there were non-numeric ticket numbers.

To use: in trac.ini, we have this line:

[ticket]
not_anon_fields=load,priority,keywords,revw,owner,cc,xref,weeks,milestone

These are fields we do NOT want 'anonymous' users to modify when creating a ticket. (For example, revw is used to mark a ticket with the name of a reviewer.)

Note that there is a default list of fields hidden as well with this patch. The default could be made empty.

Attachments (1)

8653_not_anon_fields.patch (2.3 KB ) - added by Steven R. Loomis <srl@…> 9 years ago.
8653_not_anon_fields.patch against milestone:0.11.5 r8446

Download all attachments as: .zip

Change History (12)

Changed 9 years ago by Steven R. Loomis <srl@…>

Attachment: 8653_not_anon_fields.patch added

8653_not_anon_fields.patch against milestone:0.11.5 r8446

comment:1 in reply to:  description Changed 9 years ago by Ryan Ollos <ryano@…>

Replying to Steven R. Loomis <srl@…>:

This patch lets you set a comma separated list of fields that won't be visible at /newticket time to users without TICKET_MODIFY status.

If I could make a suggestion … you talk about requiring TICKET_MODIFY permission, but then name the corresponding field not_anon_fields. However, there is no requirement in a Trac installation that TICKET_MODIFY is or is not granted to anonymous users, so you are associating two things that need not be associated.

If this or something similar were to be integrated into Trac, it seems like the field would be more appropriately named something like hide_if_not_ticket_modify.

comment:2 Changed 9 years ago by Christian Boos

Keywords: permissionpolicy added
Milestone: 2.0

Also, in Trac proper, I would rather see an extension of the "namespace" to specify what has to be tested, see comment:176:ticket:454.

I'll collect those ideas and write a new proposal in TracDev/Proposals/EvenFinerGrainedPermissions.

comment:3 Changed 9 years ago by Ryan Ollos <ryano@…>

Cc: ryano@… added

comment:4 Changed 9 years ago by hju@…

Cc: hju@… added

comment:5 Changed 9 years ago by Christian Boos

Milestone: 2.0unscheduled

Milestone 2.0 deleted

comment:6 Changed 8 years ago by Mitar

Cc: mmitar@… added

comment:7 Changed 8 years ago by Christian Boos

Milestone: triagingunscheduled

Milestone triaging deleted

comment:8 Changed 8 years ago by Thijs Triemstra

Cc: Thijs Triemstra added
Summary: Patch: Don't allow anonymous users to modify some fields[PATCH] Don't allow anonymous users to modify some fields

comment:10 Changed 4 years ago by Ryan J Ollos

Cc: Ryan J Ollos added; ryano@… removed

comment:11 Changed 3 years ago by figaro

Keywords: patch added

comment:12 Changed 20 months ago by Ryan J Ollos

#8778 closed as a duplicate.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set.
The owner will be changed from (none) to anonymous.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.