| | 1 | = Custom Permission Policies |
| | 2 | |
| | 3 | Permission policies were introduced on the [TracFineGrainedPermissions#PermissionPolicies TracFineGrainedPermissions] page. Many policies can be implemented with a short plugin. Some custom permission policy examples are given on this page. |
| | 4 | |
| | 5 | == Restrict a Workflow Action to the Ticket Owner |
| | 6 | |
| | 7 | This permissions policy can be used to restrict a workflow action to the ticket's owner. |
| | 8 | |
| | 9 | To install and activate the plugin: |
| | 10 | 1. Create a [TracDev/PluginDevelopment#Singlefileplugins single file plugin] that implements [wiki:TracDev/PluginDevelopment/ExtensionPoints/trac.perm.IPermissionPolicy IPermissionPolicy]: |
| | 11 | {{{#!python |
| | 12 | # -*- coding: utf-8 -*- |
| | 13 | # |
| | 14 | # Copyright (C) 2014 Edgewall Software |
| | 15 | # All rights reserved. |
| | 16 | # |
| | 17 | # This software is licensed as described in the file COPYING, which |
| | 18 | # you should have received as part of this distribution. The terms |
| | 19 | # are also available at http://trac.edgewall.org/wiki/TracLicense. |
| | 20 | # |
| | 21 | # This software consists of voluntary contributions made by many |
| | 22 | # individuals. For the exact contribution history, see the revision |
| | 23 | # history and logs, available at http://trac.edgewall.org/log/. |
| | 24 | |
| | 25 | from trac.core import * |
| | 26 | from trac.perm import IPermissionPolicy, IPermissionRequestor |
| | 27 | from trac.ticket.model import Ticket |
| | 28 | |
| | 29 | |
| | 30 | class RestrictTicketActionsPolicy(Component): |
| | 31 | """Provides a permission for restricting ticket actions to the |
| | 32 | ticket owner. |
| | 33 | """ |
| | 34 | |
| | 35 | implements(IPermissionPolicy, IPermissionRequestor) |
| | 36 | |
| | 37 | # IPermissionRequestor methods |
| | 38 | |
| | 39 | def get_permission_actions(self): |
| | 40 | return ['TICKET_CHANGE_STATE'] |
| | 41 | |
| | 42 | # IPermissionPolicy methods |
| | 43 | |
| | 44 | def check_permission(self, action, username, resource, perm): |
| | 45 | if action == 'TICKET_CHANGE_STATE' \ |
| | 46 | and resource is not None \ |
| | 47 | and resource.realm == 'ticket' \ |
| | 48 | and resource.id is not None: |
| | 49 | ticket = Ticket(self.env, resource.id) |
| | 50 | return ticket['owner'] == username |
| | 51 | return None |
| | 52 | }}} |
| | 53 | 1. Edit the `permission_policies` option in the [TracIni#trac-section [trac]] section of trac.ini, adding the component ''before'' the default [TracPermissions permission] policy: |
| | 54 | {{{#!ini |
| | 55 | [trac] |
| | 56 | permission_policies = RestrictTicketActions, ... |
| | 57 | }}} |
| | 58 | 1. Require `TICKET_CHANGE_STATE` for one or more workflow actions. For example, the [TracWorkflow#Environmentscreatedwith0.11 default workflow] could be modified so that only the ticket owner can assign tickets: |
| | 59 | {{{#!diff |
| | 60 | -reassign.permissions = TICKET_MODIFY |
| | 61 | +reassign.permissions = TICKET_CHANGE_STATE |
| | 62 | }}} |
| | 63 | 1. Grant the `TICKET_CHANGE_STATE` permission to your users. |
| | 64 | |
| | 65 | ---- |
| | 66 | |
| | 67 | See also: [CookBook/Configuration/SignedTickets#Readonlylogic ReadonlySignedTickets policy], [gmessage:trac-users:0XDa9f9fAos/PFsiA32GLJAJ mailing list discussion] about !RestrictTicketActionsPolicy |
