Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#6501 closed defect (wontfix)

non ticket owner can still have ticket action

Reported by: anonymous Owned by: normanr
Priority: highest Component: VirtualTicketPermissionsPlugin
Severity: critical Keywords: none ticket owner has ticket actions
Cc: Trac Release: 0.11


Good to find this plugin. But not ticket owner still permit for ticket actions.
My trac.ini:
group_blacklist = anonymous, authenticated

virtualticketpermissions.* = enabled

permission_policies = DefaultPermissionPolicy, LegacyAttachmentPolicy, VirtualTicketPermissionsPolicy

accept = new,reopened -> working
accept.operations = set_owner_to_self
accept.permissions = TICKET_IS_OWNER
assign = new -> new
assign.operations = set_owner
assign.permissions = TICKET_IS_OWNER

User: op, tester has TICKET_IS_OWNER_GROUP permission. op and tester are belong to different groups. Ticket 1 is created and owned by op. But tester can still accept, assign ticket 1.
As my mean tester should not permit to own ticket 1 any actions because it is not ticket 1 owner. What's wrong now?

Attachments (0)

Change History (6)

comment:1 Changed 5 years ago by anonymous

Trac system info:
Trac: 0.11.6
Python: 2.4.3 (#1, Jan 21 2009, 01:10:13) [GCC 4.1.2 20071124 (Red Hat 4.1.2-42)]
SQLite: 3.3.6
Genshi: 0.5.1
mod_python: 3.2.8

virtualticketpermissions.* enabled
virtualticketpermissions.policy.* enabled
virtualticketpermissions.policy.virtualticketpermissionspolicy enabled

comment:2 Changed 5 years ago by normanr

did you reload apache to load the new config? did you make sure to remove TICKET_ADMIN and other privileges from tester?

comment:3 Changed 5 years ago by anonymous

Apache is already loaded again. tester is belong to testers group which has ticket_modify and ticket_view privileges. But I was confused why I should remove these privileges from testers group.

comment:4 Changed 5 years ago by anonymous

I hope that only ticket owner has actions. Although others has ticket privileges they can do nothing if not owner.

comment:5 Changed 5 years ago by anonymous

  • Cc zhijiex@… removed
  • Resolution set to wontfix
  • Status changed from new to closed

Do not need to add TICKET_IS_OWNER permission to users. After removing TICKET_IS_OWNER_GROUP permission from users all works fine.

comment:6 Changed 5 years ago by normanr

Ahh right, yes the user *must* not be granted these permissions via the standard permissions database, because the plugin adds them dynamically as required. Glad you figured it out.

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.