#6501 closed defect (wontfix)
non ticket owner can still have ticket action
Reported by: | anonymous | Owned by: | Norman Rasmussen |
---|---|---|---|
Priority: | highest | Component: | VirtualTicketPermissionsPlugin |
Severity: | critical | Keywords: | none ticket owner has ticket actions |
Cc: | Trac Release: | 0.11 |
Description
Good to find this plugin. But not ticket owner still permit for ticket actions. My trac.ini: [virtualticketpermissions] group_blacklist = anonymous, authenticated
[components] virtualticketpermissions.* = enabled
[trac] permission_policies = DefaultPermissionPolicy, LegacyAttachmentPolicy, VirtualTicketPermissionsPolicy
[ticket-workflow] accept = new,reopened -> working accept.operations = set_owner_to_self accept.permissions = TICKET_IS_OWNER assign = new -> new assign.operations = set_owner assign.permissions = TICKET_IS_OWNER
User: op, tester has TICKET_IS_OWNER_GROUP permission. op and tester are belong to different groups. Ticket 1 is created and owned by op. But tester can still accept, assign ticket 1. As my mean tester should not permit to own ticket 1 any actions because it is not ticket 1 owner. What's wrong now?
Attachments (0)
Change History (6)
comment:1 Changed 15 years ago by
comment:2 Changed 15 years ago by
did you reload apache to load the new config? did you make sure to remove TICKET_ADMIN and other privileges from tester?
comment:3 Changed 15 years ago by
Apache is already loaded again. tester is belong to testers group which has ticket_modify and ticket_view privileges. But I was confused why I should remove these privileges from testers group.
comment:4 Changed 15 years ago by
I hope that only ticket owner has actions. Although others has ticket privileges they can do nothing if not owner.
comment:5 Changed 15 years ago by
Cc: | anonymous added; zhijiex@… removed |
---|---|
Resolution: | → wontfix |
Status: | new → closed |
Do not need to add TICKET_IS_OWNER permission to users. After removing TICKET_IS_OWNER_GROUP permission from users all works fine.
comment:6 Changed 15 years ago by
Ahh right, yes the user *must* not be granted these permissions via the standard permissions database, because the plugin adds them dynamically as required. Glad you figured it out.
Trac system info: Trac: 0.11.6 Python: 2.4.3 (#1, Jan 21 2009, 01:10:13) [GCC 4.1.2 20071124 (Red Hat 4.1.2-42)] SQLite: 3.3.6 Genshi: 0.5.1 mod_python: 3.2.8
virtualticketpermissions.* enabled virtualticketpermissions.policy.* enabled virtualticketpermissions.policy.virtualticketpermissionspolicy enabled