Edgewall Software
Modify

Opened 10 years ago

Last modified 2 years ago

#8653 new enhancement

[PATCH] Don't allow anonymous users to modify some fields

Reported by: Steven R. Loomis <srl@…> Owned by:
Priority: normal Milestone: unscheduled
Component: ticket system Version: 0.11.5
Severity: normal Keywords: patch permissionpolicy
Cc: hju@…, mmitar@…, Thijs Triemstra, Ryan J Ollos Branch:
Release Notes:
API Changes:

Description

This patch lets you set a comma separated list of fields that won't be visible at /newticket time to users without TICKET_MODIFY status.

Included is a bonus exception check we received when there were non-numeric ticket numbers.

To use: in trac.ini, we have this line:

[ticket]
not_anon_fields=load,priority,keywords,revw,owner,cc,xref,weeks,milestone

These are fields we do NOT want 'anonymous' users to modify when creating a ticket. (For example, revw is used to mark a ticket with the name of a reviewer.)

Note that there is a default list of fields hidden as well with this patch. The default could be made empty.

Attachments (1)

8653_not_anon_fields.patch (2.3 KB ) - added by Steven R. Loomis <srl@…> 10 years ago.
8653_not_anon_fields.patch against milestone:0.11.5 r8446

Download all attachments as: .zip

Change History (12)

by Steven R. Loomis <srl@…>, 10 years ago

Attachment: 8653_not_anon_fields.patch added

8653_not_anon_fields.patch against milestone:0.11.5 r8446

in reply to:  description comment:1 by Ryan Ollos <ryano@…>, 10 years ago

Replying to Steven R. Loomis <srl@…>:

This patch lets you set a comma separated list of fields that won't be visible at /newticket time to users without TICKET_MODIFY status.

If I could make a suggestion … you talk about requiring TICKET_MODIFY permission, but then name the corresponding field not_anon_fields. However, there is no requirement in a Trac installation that TICKET_MODIFY is or is not granted to anonymous users, so you are associating two things that need not be associated.

If this or something similar were to be integrated into Trac, it seems like the field would be more appropriately named something like hide_if_not_ticket_modify.

comment:2 by Christian Boos, 10 years ago

Keywords: permissionpolicy added
Milestone: 2.0

Also, in Trac proper, I would rather see an extension of the "namespace" to specify what has to be tested, see comment:176:ticket:454.

I'll collect those ideas and write a new proposal in TracDev/Proposals/EvenFinerGrainedPermissions.

comment:3 by Ryan Ollos <ryano@…>, 10 years ago

Cc: ryano@… added

comment:4 by hju@…, 9 years ago

Cc: hju@… added

comment:5 by Christian Boos, 9 years ago

Milestone: 2.0unscheduled

Milestone 2.0 deleted

comment:6 by Mitar, 9 years ago

Cc: mmitar@… added

comment:7 by Christian Boos, 9 years ago

Milestone: triagingunscheduled

Milestone triaging deleted

comment:8 by Thijs Triemstra, 8 years ago

Cc: Thijs Triemstra added
Summary: Patch: Don't allow anonymous users to modify some fields[PATCH] Don't allow anonymous users to modify some fields

comment:10 by Ryan J Ollos, 5 years ago

Cc: Ryan J Ollos added; ryano@… removed

comment:11 by figaro, 3 years ago

Keywords: patch added

comment:12 by Ryan J Ollos, 2 years ago

#8778 closed as a duplicate.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set.
The owner will be changed from (none) to anonymous.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.