Edgewall Software

Changes between Version 16 and Version 17 of CookBook/PermissionPolicies


Ignore:
Timestamp:
Sep 19, 2019, 6:46:23 AM (3 years ago)
Author:
Ryan J Ollos
Comment:

Document policy proposed in gmessage:trac-users:YcLn-OUkZyk/x5XqjPtbAgAJ.

Legend:

Unmodified
Added
Removed
Modified
  • CookBook/PermissionPolicies

    v16 v17  
    2022021. Grant other permissions such as `TICKET_CHGPROP`, `TICKET_APPEND` or `TICKET_MODIFY`. Users can only change tickets they can view, therefore you'll only be granting these permissions for tickets the user reported.
    203203
     204== Restrict Tickets Per Milestone
     205
     206Milestones access can be restricted per-milestone using [TracFineGrainedPermissions#AuthzPolicy AuthzPolicy].
     207This permission policy further allows users to only
     208view tickets that are assigned to viewable milestones.
     209
     210To install and activate the plugin:
     2111. Create a [TracDev/PluginDevelopment#Singlefileplugins single file plugin] that implements [wiki:TracDev/PluginDevelopment/ExtensionPoints/trac.perm.IPermissionPolicy IPermissionPolicy]:
     212{{{#!python
     213# -*- coding: utf-8 -*-
     214#
     215# Copyright (C) 2019 Edgewall Software
     216# All rights reserved.
     217#
     218# This software is licensed as described in the file COPYING, which
     219# you should have received as part of this distribution. The terms
     220# are also available at https://trac.edgewall.org/wiki/TracLicense.
     221#
     222# This software consists of voluntary contributions made by many
     223# individuals. For the exact contribution history, see the revision
     224# history and logs, available at https://trac.edgewall.org/log/.
     225
     226from trac.core import *
     227from trac.perm import IPermissionPolicy
     228from trac.resource import ResourceNotFound
     229from trac.ticket.model import Ticket
     230
     231
     232class TicketMilestonePolicy(Component):
     233    """Provides a permission for restricting ticket access to
     234    viewable milestones.
     235    """
     236
     237    implements(IPermissionPolicy)
     238
     239    # IPermissionPolicy methods
     240
     241    def check_permission(self, action, username, resource, perm):
     242        if action == 'TICKET_VIEW':
     243            if resource is None or \
     244                    resource.realm == 'ticket' and \
     245                    resource.id is None:
     246                return True
     247            elif resource.realm == 'ticket' and \
     248                    resource.id is not None:
     249                try:
     250                    ticket = Ticket(self.env, resource.id)
     251                except ResourceNotFound:
     252                    pass
     253                else:
     254                    return 'MILESTONE_VIEW' in perm('milestone',
     255                                                    ticket['milestone'])
     256
     257}}}
     2581. Edit [[TracIni#trac-permission_policies-option|[trac] permission_policies]] in trac.ini, adding the `TicketMilestonePolicy` and `AuthzPolicy` components ''before'' the default [TracPermissions permission] policy:
     259 {{{#!ini
     260 [trac]
     261 permission_policies = TicketMilestonePolicy, AuthzPolicy, ...
     262}}}
     2631. Revoke the coarse-grained `MILESTONE_VIEW` and configure [TracFineGrainedPermissions#AuthzPolicy AuthzPolicy] with a policy that grants `MILESTONE_VIEW` per milestone-resource:
     264{{{#!ini
     265[milestone:milestone1]
     266user1 = MILESTONE_VIEW
     267
     268[milestone:milestone2]
     269user2 = MILESTONE_VIEW
     270}}}
     2711. Grant `TICKET_VIEW` to any users that you wish to view some (but not necessarily all) tickets. The `TicketMilestonePolicy` will deny access to a ticket if the users isn't allowed to view the associated milestone for the ticket, even though the user has coarse-grained `TICKET_VIEW`.
     2721. Grant other permissions such as `TICKET_CHGPROP`, `TICKET_APPEND` or `TICKET_MODIFY`. Users can only change tickets they can view, therefore you'll only be granting these permissions for tickets assigned to milestones they can view.
     273
    204274== Restrict Changing Ticket Milestone
    205275