Changes between Version 3 and Version 4 of 1.3/TracPermissions

Timestamp:

May 11, 2017, 9:02:00 AM (6 years ago)

Author:

Ryan J Ollos

Comment:

Document adding explicit attachment actions.

1.3/TracPermissions

@@ -97 +97 @@
 == Attachment Permissions
 
-Attachment permissions are handled by `LegacyAttachmentPolicy`, and unlike the permissions discussed so far attachment permissions are not directly granted. Rather, the ability to create, view and delete attachments is determined by the attachment's parent realm and permissions the user possess for that realm.
+Attachment permissions are handled by `LegacyAttachmentPolicy`, and unlike the permissions discussed so far, the permissions provided by `LegacyAttachmentPolicy` are not directly granted. Rather, the ability to create, view and delete attachments is determined by the attachment's parent realm and permissions the user possess for that realm.
 
 The attachment actions are determined by the following
@@ -107 +107 @@
 || `ATTACHMENT_DELETE` || `TICKET_ADMIN` || `WIKI_DELETE` || `MILESTONE_DELETE` ||
 }}}
+
+If explicit attachment permissions are preferred, `ATTACHMENT_CREATE`, `ATTACHMENT_DELETE` and `ATTACHMENT_VIEW` can be created using the [trac:ExtraPermissionsProvider]. The simplest implementation is to simply define the actions.
+{{{#!ini
+[extra-permissions]
+_perms = ATTACHMENT_CREATE, ATTACHMENT_DELETE, ATTACHMENT_VIEW
+}}}
+
+An alternative configuration adds an `ATTACHMENT_ADMIN` meta-permission that grants the other 3 permission.
+{{{#!ini
+[extra-permissions]
+ATTACHMENT_ADMIN = ATTACHMENT_CREATE, ATTACHMENT_DELETE, ATTACHMENT_VIEW
+}}}
+
+The explicit permissions can be used in concert with `LegacyAttachmentPolicy`, or `LegacyAttachmentPolicy` can be removed from `permission_policies`, in which case only users that have been explicitly granted the corresponding attachment action will be able to create, delete and view attachments.
 
 == Granting Privileges