| 1 | = Custom Permission Policies |
| 2 | |
| 3 | Permission policies were introduced on the [TracFineGrainedPermissions#PermissionPolicies TracFineGrainedPermissions] page. Many policies can be implemented with a short plugin. Some custom permission policy examples are given on this page. |
| 4 | |
| 5 | == Restrict a Workflow Action to the Ticket Owner |
| 6 | |
| 7 | This permissions policy can be used to restrict a workflow action to the ticket's owner. |
| 8 | |
| 9 | To install and activate the plugin: |
| 10 | 1. Create a [TracDev/PluginDevelopment#Singlefileplugins single file plugin] that implements [wiki:TracDev/PluginDevelopment/ExtensionPoints/trac.perm.IPermissionPolicy IPermissionPolicy]: |
| 11 | {{{#!python |
| 12 | # -*- coding: utf-8 -*- |
| 13 | # |
| 14 | # Copyright (C) 2014 Edgewall Software |
| 15 | # All rights reserved. |
| 16 | # |
| 17 | # This software is licensed as described in the file COPYING, which |
| 18 | # you should have received as part of this distribution. The terms |
| 19 | # are also available at http://trac.edgewall.org/wiki/TracLicense. |
| 20 | # |
| 21 | # This software consists of voluntary contributions made by many |
| 22 | # individuals. For the exact contribution history, see the revision |
| 23 | # history and logs, available at http://trac.edgewall.org/log/. |
| 24 | |
| 25 | from trac.core import * |
| 26 | from trac.perm import IPermissionPolicy, IPermissionRequestor |
| 27 | from trac.ticket.model import Ticket |
| 28 | |
| 29 | |
| 30 | class RestrictTicketActionsPolicy(Component): |
| 31 | """Provides a permission for restricting ticket actions to the |
| 32 | ticket owner. |
| 33 | """ |
| 34 | |
| 35 | implements(IPermissionPolicy, IPermissionRequestor) |
| 36 | |
| 37 | # IPermissionRequestor methods |
| 38 | |
| 39 | def get_permission_actions(self): |
| 40 | return ['TICKET_CHANGE_STATE'] |
| 41 | |
| 42 | # IPermissionPolicy methods |
| 43 | |
| 44 | def check_permission(self, action, username, resource, perm): |
| 45 | if action == 'TICKET_CHANGE_STATE' \ |
| 46 | and resource is not None \ |
| 47 | and resource.realm == 'ticket' \ |
| 48 | and resource.id is not None: |
| 49 | ticket = Ticket(self.env, resource.id) |
| 50 | return ticket['owner'] == username |
| 51 | return None |
| 52 | }}} |
| 53 | 1. Edit the `permission_policies` option in the [TracIni#trac-section [trac]] section of trac.ini, adding the component ''before'' the default [TracPermissions permission] policy: |
| 54 | {{{#!ini |
| 55 | [trac] |
| 56 | permission_policies = RestrictTicketActions, ... |
| 57 | }}} |
| 58 | 1. Require `TICKET_CHANGE_STATE` for one or more workflow actions. For example, the [TracWorkflow#Environmentscreatedwith0.11 default workflow] could be modified so that only the ticket owner can assign tickets: |
| 59 | {{{#!diff |
| 60 | -reassign.permissions = TICKET_MODIFY |
| 61 | +reassign.permissions = TICKET_CHANGE_STATE |
| 62 | }}} |
| 63 | 1. Grant the `TICKET_CHANGE_STATE` permission to your users. |
| 64 | |
| 65 | ---- |
| 66 | |
| 67 | See also: [CookBook/Configuration/SignedTickets#Readonlylogic ReadonlySignedTickets policy], [gmessage:trac-users:0XDa9f9fAos/PFsiA32GLJAJ mailing list discussion] about !RestrictTicketActionsPolicy |