Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#11826 closed enhancement (fixed)

Add support for specific permission to manage custom fields

Reported by: ahamelin Owned by: rjollos
Priority: normal Component: CustomFieldAdminPlugin
Severity: normal Keywords:
Cc: Trac Release:


I would find it useful to be able to use a distinct permission to manage custom ticket fields, like some other popular plugins do.

The issue I see right now is that managing custom fields require the full TICKET_ADMIN permission. This approach has a couple of downsides, such as permitting a user to change the owner of a ticket, etc. which is not necessarily bound to managing ticket fields, and gives more power to certain group of users than it is minimally necessary.

A minimal implementation could only include CUSTOM_FIELDS_ADMIN which would grant access to the Admin > Custom Fields admin panel. I would expect TICKET_ADMIN to still give access to the custom fields admin panel.

Attachments (0)

Change History (3)

comment:1 Changed 2 years ago by rjollos

This is generally handled in Trac using TracFineGrainedPermissions. This is a very powerful feature that also help prevent the bloat of very specific permissions which may only apply to a narrow subset of users. Many TracFineGrainedPermissions policy issues in the admin realm have been fixed in Trac 1.0.2dev: trac:#11069.

I tested a permissions policy with Trac 1.0.1 and the latest CustomFieldAdminPlugin. The following patch is needed (which is very similar to the changes in trac:#11069):

  • customfieldadminplugin/0.11/customfieldadmin/

    diff --git a/customfieldadminplugin/0.11/customfieldadmin/ b/customfield
    index 94e89d1..2fdc79c 100644
    a b class CustomFieldAdminPage(Component): 
    3030    # IAdminPanelProvider methods
    3232    def get_admin_panels(self, req):
    33         if 'TICKET_ADMIN' in req.perm:
     33        if 'TICKET_ADMIN' in req.perm('admin', 'ticket/customfields'):
    3434            yield ('ticket', _("Ticket System"),
    3535                   'customfields', _("Custom Fields"))
    3737    def render_admin_panel(self, req, cat, page, customfield):
    38         req.perm.require('TICKET_ADMIN')
     38        req.perm('admin', 'ticket/customfields').require('TICKET_ADMIN')
    4040        add_script(req, 'customfieldadmin/js/customfieldadmin.js')

osimons, would you kindly review?

After the patch is applied, the following policy would allow all users to access the Custom Fields page. This is probably not what you want, and is just meant as an example to get you started. See the TracFineGrainedPermissions for more details.


comment:2 Changed 2 years ago by rjollos

  • Resolution set to fixed
  • Status changed from new to closed

In 14259:

0.2.9: Support fine-grained permission checks on the Custom Field admin pages. Fixes #11826.

comment:3 Changed 2 years ago by rjollos

  • Owner changed from osimons to rjollos

Add Comment

Modify Ticket

as closed The owner will remain rjollos.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.