Modify

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#6501 closed defect (wontfix)

non ticket owner can still have ticket action

Reported by: anonymous Owned by: normanr
Priority: highest Component: VirtualTicketPermissionsPlugin
Severity: critical Keywords: none ticket owner has ticket actions
Cc: Trac Release: 0.11

Description

Good to find this plugin. But not ticket owner still permit for ticket actions.
My trac.ini:
[virtualticketpermissions]
group_blacklist = anonymous, authenticated

[components]
virtualticketpermissions.* = enabled

[trac]
permission_policies = DefaultPermissionPolicy, LegacyAttachmentPolicy, VirtualTicketPermissionsPolicy

[ticket-workflow]
accept = new,reopened -> working
accept.operations = set_owner_to_self
accept.permissions = TICKET_IS_OWNER
assign = new -> new
assign.operations = set_owner
assign.permissions = TICKET_IS_OWNER

User: op, tester has TICKET_IS_OWNER_GROUP permission. op and tester are belong to different groups. Ticket 1 is created and owned by op. But tester can still accept, assign ticket 1.
As my mean tester should not permit to own ticket 1 any actions because it is not ticket 1 owner. What's wrong now?


Attachments (0)

Change History (6)

comment:1 Changed 4 years ago by anonymous

Trac system info:
Trac: 0.11.6
Python: 2.4.3 (#1, Jan 21 2009, 01:10:13) [GCC 4.1.2 20071124 (Red Hat 4.1.2-42)]
SQLite: 3.3.6
Genshi: 0.5.1
mod_python: 3.2.8

virtualticketpermissions.* enabled
virtualticketpermissions.policy.* enabled
virtualticketpermissions.policy.virtualticketpermissionspolicy enabled

comment:2 Changed 4 years ago by normanr

did you reload apache to load the new config? did you make sure to remove TICKET_ADMIN and other privileges from tester?

comment:3 Changed 4 years ago by anonymous

Apache is already loaded again. tester is belong to testers group which has ticket_modify and ticket_view privileges. But I was confused why I should remove these privileges from testers group.

comment:4 Changed 4 years ago by anonymous

I hope that only ticket owner has actions. Although others has ticket privileges they can do nothing if not owner.

comment:5 Changed 4 years ago by anonymous

  • Cc zhijiex@… removed
  • Resolution set to wontfix
  • Status changed from new to closed

Do not need to add TICKET_IS_OWNER permission to users. After removing TICKET_IS_OWNER_GROUP permission from users all works fine.

comment:6 Changed 4 years ago by normanr

Ahh right, yes the user *must* not be granted these permissions via the standard permissions database, because the plugin adds them dynamically as required. Glad you figured it out.

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from normanr. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.