Modify

Opened 7 months ago

Closed 7 months ago

Last modified 7 months ago

#11457 closed defect (fixed)

Prevent tickets from being accepted by anonymous

Reported by: rjollos Owned by: rjollos
Priority: normal Component: TracHacks
Severity: normal Keywords: workflow
Cc: osmions, olemis, hasienda, jun66j5, otaku42 Trac Release:

Description

A frequent issue is that users will accept a ticket without being logged-in, and the ticket will then be assigned to anonymous. This was recently noted in comment:4:ticket:9984. I'll try modifying the workflow to avoid this.

Attachments (0)

Change History (7)

comment:1 Changed 7 months ago by rjollos

Two options that I can see:

  • Revoke TICKET_MODIFY from anonymous, grant TICKET_CHGPROP and TICKET_APPEND to anonymous and grant TICKET_MODIFY to authenticated. This would also prevent anonymous users from resolving tickets: TracPermissions#TicketSystem.
  • Add a TICKET_ACCEPT permission, grant it to authenticated and modify the workflow (TracPermissions#CreatingNewPrivileges):
    accept = new -> assigned
    accept.operations = set_owner_to_self
    -accept.permissions = TICKET_MODIFY
    +accept.permissions = TICKET_ACCEPT
    

Any opinions or suggestions?

Last edited 7 months ago by rjollos (previous) (diff)

comment:2 Changed 7 months ago by rjollos

In reply to comment:5:ticket:9984, in order to change the behavior in Trac and have the workflow set_owner_to_self use the value from the author field of the form, we'd need a patch to Trac such as the one shown in trac:#11418.

That would actually complicate things even more on trac-hacks if the aim is to avoid having tickets assigned to anonymous through the accept action. There is no way I can see to tell the workflow to only allow the accept action if a value other than anonymous is found in the author form field. A plugin would likely be needed to enforce the behavior.

For now, I'll just add the TICKET_ACCEPT permission, and maybe work that patch in the Trac core later on if no one else wants to pursue this first.

comment:3 Changed 7 months ago by rjollos

The current workflow is the Trac 0.10 workflow with the addition of a set_resolution action (comment:7:ticket:11133) for TICKET_ADMINs:

accept = new -> assigned
accept.operations = set_owner_to_self
accept.permissions = TICKET_MODIFY
leave = * -> *
leave.default = 1
leave.operations = leave_status
reassign = new,assigned,reopened -> new
reassign.operations = set_owner
reassign.permissions = TICKET_MODIFY
reopen = closed -> reopened
reopen.operations = del_resolution
reopen.permissions = TICKET_CREATE
resolve = new,assigned,reopened -> closed
resolve.operations = set_resolution
resolve.permissions = TICKET_MODIFY
set_resolution = closed -> closed
set_resolution.name = set resolution
set_resolution.operations = set_resolution
set_resolution.permission = TICKET_ADMIN
Enable JavaScript to display the workflow graph.

Proposed change is to adopt the Trac 0.11 workflow, along with:

  • set_resolution and set_owner actions for TICKET_ADMIN`s.
  • adding a TICKET_ACCEPT permission, requiring it for accepting a ticket and granting it to authenticated.
  • Removing the accepted -> accepted transition, which seems to be just noise in the workflow.
accept = new,assigned,reopened -> accepted
accept.operations = set_owner_to_self
accept.permissions = TICKET_ACCEPT
leave = * -> *
leave.default = 1
leave.operations = leave_status
reassign = new,assigned,accepted,reopened -> assigned
reassign.operations = set_owner
reassign.permissions = TICKET_MODIFY
reopen = closed -> reopened
reopen.operations = del_resolution
reopen.permissions = TICKET_CREATE
resolve = new,assigned,accepted,reopened -> closed
resolve.operations = set_resolution
resolve.permissions = TICKET_MODIFY
set_resolution = closed -> closed
set_resolution.name = set resolution
set_resolution.operations = set_resolution
set_resolution.permission = TICKET_ADMIN
set_owner = closed -> closed
set_owner.name = set owner
set_owner.operations = set_owner
set_owner.permission = TICKET_ADMIN
Enable JavaScript to display the workflow graph.
Last edited 7 months ago by rjollos (previous) (diff)

comment:4 Changed 7 months ago by rjollos

  • Status changed from new to accepted

comment:5 follow-ups: Changed 7 months ago by rjollos

  • Resolution set to fixed
  • Status changed from accepted to closed

Please let me know if you spot any issues with the new workflow.

comment:6 in reply to: ↑ 5 Changed 7 months ago by olemis

Replying to rjollos:

Please let me know if you spot any issues with the new workflow.

afaict this should work ok, thnx for taking the time to dive into this

comment:7 in reply to: ↑ 5 Changed 7 months ago by olemis

Replying to rjollos:

Please let me know if you spot any issues with the new workflow.

afaict this should work ok, thnx for taking the time to dive into this

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from rjollos. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.