Modify

Opened 3 years ago

Closed 3 years ago

Last modified 4 months ago

#11457 closed defect (fixed)

Prevent tickets from being accepted by anonymous

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Component: TracHacks
Severity: normal Keywords: workflow
Cc: osmions, Olemis Lang, Steffen Hoffmann, Jun Omae, Michael Renzmann Trac Release:

Description

A frequent issue is that users will accept a ticket without being logged-in, and the ticket will then be assigned to anonymous. This was recently noted in comment:4:ticket:9984. I'll try modifying the workflow to avoid this.

Attachments (0)

Change History (9)

comment:1 Changed 3 years ago by Ryan J Ollos

Two options that I can see:

  • Revoke TICKET_MODIFY from anonymous, grant TICKET_CHGPROP and TICKET_APPEND to anonymous and grant TICKET_MODIFY to authenticated. This would also prevent anonymous users from resolving tickets: TracPermissions#TicketSystem.
  • Add a TICKET_ACCEPT permission, grant it to authenticated and modify the workflow (TracPermissions#CreatingNewPrivileges):
    accept = new -> assigned
    accept.operations = set_owner_to_self
    -accept.permissions = TICKET_MODIFY
    +accept.permissions = TICKET_ACCEPT
    

Any opinions or suggestions?

Last edited 3 years ago by Ryan J Ollos (previous) (diff)

comment:2 Changed 3 years ago by Ryan J Ollos

In reply to comment:5:ticket:9984, in order to change the behavior in Trac and have the workflow set_owner_to_self use the value from the author field of the form, we'd need a patch to Trac such as the one shown in trac:#11418.

That would actually complicate things even more on trac-hacks if the aim is to avoid having tickets assigned to anonymous through the accept action. There is no way I can see to tell the workflow to only allow the accept action if a value other than anonymous is found in the author form field. A plugin would likely be needed to enforce the behavior.

For now, I'll just add the TICKET_ACCEPT permission, and maybe work that patch in the Trac core later on if no one else wants to pursue this first.

comment:3 Changed 3 years ago by Ryan J Ollos

The current workflow is the Trac 0.10 workflow with the addition of a set_resolution action (comment:7:ticket:11133) for TICKET_ADMINs:

accept = new -> assigned
accept.operations = set_owner_to_self
accept.permissions = TICKET_MODIFY
leave = * -> *
leave.default = 1
leave.operations = leave_status
reassign = new,assigned,reopened -> new
reassign.operations = set_owner
reassign.permissions = TICKET_MODIFY
reopen = closed -> reopened
reopen.operations = del_resolution
reopen.permissions = TICKET_CREATE
resolve = new,assigned,reopened -> closed
resolve.operations = set_resolution
resolve.permissions = TICKET_MODIFY
set_resolution = closed -> closed
set_resolution.name = set resolution
set_resolution.operations = set_resolution
set_resolution.permission = TICKET_ADMIN

Proposed change is to adopt the Trac 0.11 workflow, along with:

  • set_resolution and set_owner actions for TICKET_ADMINs.
  • adding a TICKET_ACCEPT permission, requiring it for accepting a ticket and granting it to authenticated.
  • Removing the accepted -> accepted transition, which seems to be just noise in the workflow.
accept = new,assigned,reopened -> accepted
accept.operations = set_owner_to_self
accept.permissions = TICKET_ACCEPT
leave = * -> *
leave.default = 1
leave.operations = leave_status
reassign = new,assigned,accepted,reopened -> assigned
reassign.operations = set_owner
reassign.permissions = TICKET_MODIFY
reopen = closed -> reopened
reopen.operations = del_resolution
reopen.permissions = TICKET_CREATE
resolve = new,assigned,accepted,reopened -> closed
resolve.operations = set_resolution
resolve.permissions = TICKET_MODIFY
set_resolution = closed -> closed
set_resolution.name = set resolution
set_resolution.operations = set_resolution
set_resolution.permission = TICKET_ADMIN
set_owner = closed -> closed
set_owner.name = set owner
set_owner.operations = set_owner
set_owner.permission = TICKET_ADMIN
Last edited 4 months ago by Ryan J Ollos (previous) (diff)

comment:4 Changed 3 years ago by Ryan J Ollos

Status: newaccepted

comment:5 Changed 3 years ago by Ryan J Ollos

Resolution: fixed
Status: acceptedclosed

Please let me know if you spot any issues with the new workflow.

comment:6 in reply to:  5 Changed 3 years ago by Olemis Lang

Replying to rjollos:

Please let me know if you spot any issues with the new workflow.

afaict this should work ok, thnx for taking the time to dive into this

comment:7 in reply to:  3 Changed 4 months ago by Ryan J Ollos

Replying to Ryan J Ollos:

  • Removing the accepted -> accepted transition, which seems to be just noise in the workflow.

This has been restored. It's useful when you wish to accept a ticket that is in the accepted state but assigned to another user.

comment:8 in reply to:  2 Changed 4 months ago by Ryan J Ollos

Replying to Ryan J Ollos:

For now, I'll just add the TICKET_ACCEPT permission, and maybe work that patch in the Trac core later on if no one else wants to pursue this first.

Made some additional changes today:

  • Anonymous now has TICKET_CHGPROP in addition to TICKET_APPEND
  • Authenticated has TICKET_MODIFY, so TICKET_ACCEPT appears to be unnecessary and has been removed. tracopt.perm.config_perm_provider.extrapermissionsprovider has been disabled. The workflow has been changed:
    -accept.permissions = TICKET_ACCEPT
    +accept.permissions = TICKET_MODIFY
    

comment:9 Changed 4 months ago by Ryan J Ollos

Additional work on permissions in #1453.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.