Changes between Version 10 and Version 11 of CookBook/PermissionPolicies

Timestamp:

May 8, 2017, 1:15:57 AM (7 years ago)

Author:

Ryan J Ollos

Comment:

Fix issues with RestrictTicketActionsPolicy: the policy would grant/deny even if user didn't possess TICEKT_CHANGE_STATE and non-existent ticket would raise ResourceNotFound.

CookBook/PermissionPolicies

@@ -5 +5 @@
 == Restrict a Workflow Action to the Ticket Owner
 
-This permissions policy can be used to restrict a workflow action to the ticket's owner.
+This permissions policy can be used to restrict a workflow action to the ticket owner that possesses `TICKET_CHANGE_STATE`. User with `TICKET_ADMIN` can perform the action even if they are not the owner.
 
 To install and activate the plugin:
@@ -25 +25 @@
 from trac.core import *
 from trac.perm import IPermissionPolicy, IPermissionRequestor
+from trac.resource import ResourceNotFound
 from trac.ticket.model import Ticket
 
@@ -47 +48 @@
                 resource.realm == 'ticket' and \
                 resource.id is not None:
-            ticket = Ticket(self.env, resource.id)
-            return ticket['owner'] == username
-        return None
+            try:
+                ticket = Ticket(self.env, resource.id)
+            except ResourceNotFound:
+                pass
+            else:
+                if ticket['owner'] != username:
+                    return 'TICKET_ADMIN' in perm
 }}}
  1. Edit the `permission_policies` option in the [TracIni#trac-section "[trac]"] section of trac.ini, adding the `RestrictTicketActions` component ''before'' the default [TracPermissions permission] policy: