Version 10 (modified by 7 years ago) ( diff ) | ,
---|
Custom Permission Policies
Permission policies were introduced on the TracFineGrainedPermissions page. Custom policies can often be implemented with a short plugin. Some custom permission policy examples are given on this page.
Restrict a Workflow Action to the Ticket Owner
This permissions policy can be used to restrict a workflow action to the ticket's owner.
To install and activate the plugin:
- Create a single file plugin that implements IPermissionPolicy and IPermissionRequestor:
# -*- coding: utf-8 -*- # # Copyright (C) 2014 Edgewall Software # All rights reserved. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms # are also available at http://trac.edgewall.org/wiki/TracLicense. # # This software consists of voluntary contributions made by many # individuals. For the exact contribution history, see the revision # history and logs, available at http://trac.edgewall.org/log/. from trac.core import * from trac.perm import IPermissionPolicy, IPermissionRequestor from trac.ticket.model import Ticket class RestrictTicketActionsPolicy(Component): """Provides a permission for restricting ticket actions to the ticket owner. """ implements(IPermissionPolicy, IPermissionRequestor) # IPermissionRequestor methods def get_permission_actions(self): return ['TICKET_CHANGE_STATE'] # IPermissionPolicy methods def check_permission(self, action, username, resource, perm): if action == 'TICKET_CHANGE_STATE' and \ resource is not None and \ resource.realm == 'ticket' and \ resource.id is not None: ticket = Ticket(self.env, resource.id) return ticket['owner'] == username return None
- Edit the
permission_policies
option in the [trac] section of trac.ini, adding theRestrictTicketActions
component before the default permission policy:[trac] permission_policies = RestrictTicketActions, ...
- Require
TICKET_CHANGE_STATE
for one or more workflow actions. For example, the default workflow could be modified so that only the ticket owner can assign tickets:-reassign.permissions = TICKET_MODIFY +reassign.permissions = TICKET_CHANGE_STATE
- Grant the
TICKET_CHANGE_STATE
permission to your users.
Grant a permission to the Ticket Owner
This permissions policy can be used to grant permissions to the ticket's owner.
To install and activate the plugin:
- Create a single file plugin that implements IPermissionPolicy:
# -*- coding: utf-8 -*- # # Copyright (C) 2014 Edgewall Software # All rights reserved. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms # are also available at http://trac.edgewall.org/wiki/TracLicense. # # This software consists of voluntary contributions made by many # individuals. For the exact contribution history, see the revision # history and logs, available at http://trac.edgewall.org/log/. from trac.core import * from trac.perm import IPermissionPolicy from trac.ticket.model import Ticket class GrantTicketOwnerPermissionsPolicy(Component): """Grants permissions to the ticket owner.""" implements(IPermissionPolicy) allowed_actions = ( 'TICKET_CHGPROP', 'TICKET_EDIT_CC', 'TICKET_EDIT_DESCRIPTION', 'TICKET_EDIT_COMMENT') # IPermissionPolicy methods def check_permission(self, action, username, resource, perm): if action in self.allowed_actions and \ resource is not None and \ resource.realm == 'ticket' and \ resource.id is not None: ticket = Ticket(self.env, resource.id) if ticket['owner'] == username: return True return None
- Edit the
permission_policies
option in the [trac] section of trac.ini, adding theGrantTicketOwnerPermissionsPolicy
component before the default permission policy:[trac] permission_policies = GrantTicketOwnerPermissionsPolicy, ...
Variations
- Remove permissions from the
allowed_actions
or add others. - Change
ticket['owner']
toticket['reporter']
to grant the permissions to the Ticket Reporter instead.
Support Desk Policy
This permission policy allows users to view only tickets they have reported.
To install and activate the plugin:
- Create a single file plugin that implements IPermissionPolicy:
# -*- coding: utf-8 -*- # # Copyright (C) 2017 Edgewall Software # All rights reserved. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms # are also available at http://trac.edgewall.org/wiki/TracLicense. # # This software consists of voluntary contributions made by many # individuals. For the exact contribution history, see the revision # history and logs, available at http://trac.edgewall.org/log/. from trac.core import * from trac.perm import IPermissionPolicy, IPermissionRequestor from trac.ticket.model import Ticket class SupportDeskPolicy(Component): """Provides a permission for restricting ticket actions to the ticket owner. """ implements(IPermissionPolicy, IPermissionRequestor) # IPermissionRequestor methods def get_permission_actions(self): return ['TICKET_VIEW_REPORTED'] # IPermissionPolicy methods def check_permission(self, action, username, resource, perm): if username != 'anonymous' and \ action == 'TICKET_VIEW' and \ resource is not None and \ resource.realm == 'ticket' and \ resource.id is not None and \ 'TICKET_VIEW_REPORTED' in perm: ticket = Ticket(self.env, resource.id) return ticket['reporter'] == username
- Edit the
permission_policies
option in the [trac] section of trac.ini, adding theSupportDeskPolicy
component before the default permission policy:[trac] permission_policies = SupportDeskPolicy, ...
- Revoke
TICKET_VIEW
and grantTICKET_VIEW_REPORTED
for users that should only view tickets they reported. - Grant other permissions such as
TICKET_CHGPROP
,TICKET_APPEND
orTICKET_MODIFY
. Users can only change tickets they can view, therefore you'll only be granting these permissions for tickets the user reported.
Restrict Changing Ticket Milestone
With the default permission policies enabled, a user with TICKET_CHGPROP
and MILESTONE_VIEW
can change the milestone of a ticket. Since 1.3.2 the behavior is implemented in the permission policy DefaultTicketPolicy
. The action TICKET_CHG_MILESTONE
is used to grant the privilege, however this permission is not defined through an IPermissionRequestor
implementation and therefore not available to be assigned to users.
The action can be defined using ExtraPermissionsProvider, and with no other changes to the permission policy, changing the milestone property will be restricted to users with the TICKET_CHG_MILESTONE
permission.
[extra-permissions] _perms = TICKET_CHG_MILESTONE
See also: #8778.
See also: ReadonlySignedTickets policy, mailing list discussion about RestrictTicketActionsPolicy