Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#6501 closed defect (wontfix)

non ticket owner can still have ticket action

Reported by: anonymous Owned by: Norman Rasmussen
Priority: highest Component: VirtualTicketPermissionsPlugin
Severity: critical Keywords: none ticket owner has ticket actions
Cc: Trac Release: 0.11


Good to find this plugin. But not ticket owner still permit for ticket actions. My trac.ini: [virtualticketpermissions] group_blacklist = anonymous, authenticated

[components] virtualticketpermissions.* = enabled

[trac] permission_policies = DefaultPermissionPolicy, LegacyAttachmentPolicy, VirtualTicketPermissionsPolicy

[ticket-workflow] accept = new,reopened -> working accept.operations = set_owner_to_self accept.permissions = TICKET_IS_OWNER assign = new -> new assign.operations = set_owner assign.permissions = TICKET_IS_OWNER

User: op, tester has TICKET_IS_OWNER_GROUP permission. op and tester are belong to different groups. Ticket 1 is created and owned by op. But tester can still accept, assign ticket 1. As my mean tester should not permit to own ticket 1 any actions because it is not ticket 1 owner. What's wrong now?

Attachments (0)

Change History (6)

comment:1 Changed 12 years ago by anonymous

Trac system info: Trac: 0.11.6 Python: 2.4.3 (#1, Jan 21 2009, 01:10:13) [GCC 4.1.2 20071124 (Red Hat 4.1.2-42)] SQLite: 3.3.6 Genshi: 0.5.1 mod_python: 3.2.8

virtualticketpermissions.* enabled virtualticketpermissions.policy.* enabled virtualticketpermissions.policy.virtualticketpermissionspolicy enabled

comment:2 Changed 12 years ago by Norman Rasmussen

did you reload apache to load the new config? did you make sure to remove TICKET_ADMIN and other privileges from tester?

comment:3 Changed 12 years ago by anonymous

Apache is already loaded again. tester is belong to testers group which has ticket_modify and ticket_view privileges. But I was confused why I should remove these privileges from testers group.

comment:4 Changed 12 years ago by anonymous

I hope that only ticket owner has actions. Although others has ticket privileges they can do nothing if not owner.

comment:5 Changed 12 years ago by anonymous

Cc: anonymous added; zhijiex@… removed
Resolution: wontfix
Status: newclosed

Do not need to add TICKET_IS_OWNER permission to users. After removing TICKET_IS_OWNER_GROUP permission from users all works fine.

comment:6 Changed 12 years ago by Norman Rasmussen

Ahh right, yes the user *must* not be granted these permissions via the standard permissions database, because the plugin adds them dynamically as required. Glad you figured it out.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Norman Rasmussen.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.