Custom Permission Policies
Contents
Permission policies were introduced on the TracFineGrainedPermissions page. Custom policies can often be implemented with a short plugin. Some custom permission policy examples are given on this page.
Restrict a Workflow Action to the Ticket Owner
This permissions policy can be used to restrict a workflow action to the ticket owner that possesses TICKET_CHANGE_STATE. User with TICKET_ADMIN can perform the action even if they are not the owner.
To install and activate the plugin:
- Create a single file plugin that implements IPermissionPolicy and IPermissionRequestor:
# -*- coding: utf-8 -*- # # Copyright (C) 2014-2017 Edgewall Software # All rights reserved. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms # are also available at http://trac.edgewall.org/wiki/TracLicense. # # This software consists of voluntary contributions made by many # individuals. For the exact contribution history, see the revision # history and logs, available at http://trac.edgewall.org/log/. from trac.core import * from trac.perm import IPermissionPolicy, IPermissionRequestor from trac.resource import ResourceNotFound from trac.ticket.model import Ticket class RestrictTicketActionsPolicy(Component): """Provides a permission for restricting ticket actions to the ticket owner. """ implements(IPermissionPolicy, IPermissionRequestor) _field = 'owner' # IPermissionRequestor methods def get_permission_actions(self): return ['TICKET_CHANGE_STATE'] # IPermissionPolicy methods def check_permission(self, action, username, resource, perm): if action == 'TICKET_CHANGE_STATE' and \ resource is not None and \ resource.realm == 'ticket' and \ resource.id is not None: try: ticket = Ticket(self.env, resource.id) except ResourceNotFound: pass else: if ticket[self._field] != username: return 'TICKET_ADMIN' in perm
- Edit the
permission_policiesoption in the [trac] section of trac.ini, adding theRestrictTicketActionsPolicycomponent before the default permission policy:[trac] permission_policies = RestrictTicketActionsPolicy, ...
- Require
TICKET_CHANGE_STATEfor one or more workflow actions. For example, the default workflow could be modified so that only the ticket owner can assign tickets:-reassign.permissions = TICKET_MODIFY +reassign.permissions = TICKET_CHANGE_STATE
- Grant the
TICKET_CHANGE_STATEpermission to your users.
The permission policy can be applied to the ticket reporter rather than the ticket owner by changing the _field class attribute from 'owner' to 'reporter'.
Grant a permission to the Ticket Owner
This permissions policy can be used to grant permissions to the ticket's owner.
To install and activate the plugin:
- Create a single file plugin that implements IPermissionPolicy:
# -*- coding: utf-8 -*- # # Copyright (C) 2014-2017 Edgewall Software # All rights reserved. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms # are also available at http://trac.edgewall.org/wiki/TracLicense. # # This software consists of voluntary contributions made by many # individuals. For the exact contribution history, see the revision # history and logs, available at http://trac.edgewall.org/log/. from trac.core import * from trac.perm import IPermissionPolicy from trac.resource import ResourceNotFound from trac.ticket.model import Ticket class GrantTicketOwnerPermissionsPolicy(Component): """Grants permissions to the ticket owner.""" implements(IPermissionPolicy) allowed_actions = ( 'TICKET_CHGPROP', 'TICKET_EDIT_CC', 'TICKET_EDIT_DESCRIPTION', 'TICKET_EDIT_COMMENT') # IPermissionPolicy methods def check_permission(self, action, username, resource, perm): if action in self.allowed_actions and \ resource is not None and \ resource.realm == 'ticket' and \ resource.id is not None: try: ticket = Ticket(self.env, resource.id) except ResourceNotFound: pass else: if ticket['owner'] == username: return True
- Edit the
permission_policiesoption in the [trac] section of trac.ini, adding theGrantTicketOwnerPermissionsPolicycomponent before the default permission policy:[trac] permission_policies = GrantTicketOwnerPermissionsPolicy, ...
Variations
- Remove permissions from the
allowed_actionsor add others. - Change
ticket['owner']toticket['reporter']to grant the permissions to the Ticket Reporter instead.
Support Desk Policy
This permission policy allows users to view only tickets they have reported.
To install and activate the plugin:
- Create a single file plugin that implements IPermissionPolicy:
# -*- coding: utf-8 -*- # # Copyright (C) 2017 Edgewall Software # All rights reserved. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms # are also available at http://trac.edgewall.org/wiki/TracLicense. # # This software consists of voluntary contributions made by many # individuals. For the exact contribution history, see the revision # history and logs, available at http://trac.edgewall.org/log/. from trac.core import * from trac.perm import IPermissionPolicy, IPermissionRequestor from trac.resource import ResourceNotFound from trac.ticket.model import Ticket class SupportDeskPolicy(Component): """Provides a permission for restricting ticket actions to the ticket owner. """ implements(IPermissionPolicy, IPermissionRequestor) # IPermissionRequestor methods def get_permission_actions(self): return ['TICKET_VIEW_REPORTED'] # IPermissionPolicy methods def check_permission(self, action, username, resource, perm): if username != 'anonymous' and \ action == 'TICKET_VIEW' and \ 'TICKET_ADMIN' not in perm: if 'TICKET_VIEW_REPORTED' in perm: if resource is None or \ resource.realm == 'ticket' and \ resource.id is None: return True elif resource.realm == 'ticket' and \ resource.id is not None: try: ticket = Ticket(self.env, resource.id) except ResourceNotFound: pass else: return username in (ticket['reporter'], ticket['owner'])
- Edit the
permission_policiesoption in the [trac] section of trac.ini, adding theSupportDeskPolicycomponent before the default permission policy:[trac] permission_policies = SupportDeskPolicy, ...
- Revoke
TICKET_VIEWand grantTICKET_VIEW_REPORTEDfor users that should only view tickets they reported. Users withTICKET_VIEWcan view all tickets, provided they don't also haveTICKET_VIEW_REPORTED. - Grant other permissions such as
TICKET_CHGPROP,TICKET_APPENDorTICKET_MODIFY. Users can only change tickets they can view, therefore you'll only be granting these permissions for tickets the user reported.
Restrict Tickets Per Milestone
Milestones access can be restricted per-milestone using AuthzPolicy. This permission policy further allows users to only view tickets that are assigned to viewable milestones.
To install and activate the plugin:
- Create a single file plugin that implements IPermissionPolicy:
# -*- coding: utf-8 -*- # # Copyright (C) 2019 Edgewall Software # All rights reserved. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms # are also available at https://trac.edgewall.org/wiki/TracLicense. # # This software consists of voluntary contributions made by many # individuals. For the exact contribution history, see the revision # history and logs, available at https://trac.edgewall.org/log/. from trac.core import * from trac.perm import IPermissionPolicy from trac.resource import ResourceNotFound from trac.ticket.model import Ticket class TicketMilestonePolicy(Component): """Provides a permission for restricting ticket access to viewable milestones. """ implements(IPermissionPolicy) # IPermissionPolicy methods def check_permission(self, action, username, resource, perm): if action == 'TICKET_VIEW': if resource is None or \ resource.realm == 'ticket' and \ resource.id is None: return True elif resource.realm == 'ticket' and \ resource.id is not None: try: ticket = Ticket(self.env, resource.id) except ResourceNotFound: pass else: return 'MILESTONE_VIEW' in perm('milestone', ticket['milestone'])
- Edit [trac] permission_policies in trac.ini, adding the
TicketMilestonePolicyandAuthzPolicycomponents before the default permission policy:[trac] permission_policies = TicketMilestonePolicy, AuthzPolicy, ...
- Revoke the coarse-grained
MILESTONE_VIEWand configure AuthzPolicy with a policy that grantsMILESTONE_VIEWper milestone-resource:[milestone:milestone1] user1 = MILESTONE_VIEW [milestone:milestone2] user2 = MILESTONE_VIEW
- Grant
TICKET_VIEWto any users that you wish to view some (but not necessarily all) tickets. TheTicketMilestonePolicywill deny access to a ticket if the users isn't allowed to view the associated milestone for the ticket, even though the user has coarse-grainedTICKET_VIEW. - Grant other permissions such as
TICKET_CHGPROP,TICKET_APPENDorTICKET_MODIFY. Users can only change tickets they can view, therefore you'll only be granting these permissions for tickets assigned to milestones they can view.
Restrict Changing Ticket Milestone
With the default permission policies enabled, a user with TICKET_CHGPROP and MILESTONE_VIEW can change the milestone of a ticket. Since 1.3.2 the behavior is implemented in the permission policy DefaultTicketPolicy. The action TICKET_CHG_MILESTONE is used to grant the privilege, however this permission is not defined through an IPermissionRequestor implementation and therefore not available to be assigned to users.
The action can be defined using ExtraPermissionsProvider, and with no other changes to the permission policy, changing the milestone property will be restricted to users with the TICKET_CHG_MILESTONE permission.
[extra-permissions] _perms = TICKET_CHG_MILESTONE
See also: #8778.
See also: ReadonlySignedTickets policy, mailing list discussion about RestrictTicketActionsPolicy
Last modified
6 years ago
Last modified on Sep 19, 2019, 6:47:09 AM
Note:
See TracWiki
for help on using the wiki.
