Opened 6 years ago

Closed 6 years ago

Last modified 4 years ago

#7700 closed enhancement (fixed)

[Patch] Allow user management without having TRAC_ADMIN permission

Reported by: sto Owned by: hasienda
Priority: high Component: AccountManagerPlugin
Severity: major Keywords: permission separation
Cc: pacopablo Trac Release: 0.12


I want to let the project managers to manage users, but I don't want them to have TRAC_ADMIN permission.

To be able to do that I've patched your plugin to add a USERS_ADMIN permission that lets them to manage users and notifications but nothing else (i. e. they can't change the module configuration nor change file paths, authentication methods, etc.)

I'm attaching a patch that applies cleanly to a checkout of the revision 8942 of:

I haven't tested it much but seems to do what I want.

Attachments (2)

accountmanagerplugin-trunk-r8942-add_users_admin_perm.patch (2.1 KB) - added by sto 6 years ago.
patch against current trunk
accountmanagerplugin-trunk-r8942-add_config_and_users_admin_perm.patch (2.4 KB) - added by sto 6 years ago.
Patch redone using ticket #1902 permission names

Download all attachments as: .zip

Change History (8)

Changed 6 years ago by sto

patch against current trunk

comment:1 Changed 6 years ago by sto

I've been lookig at open tickets against AccountManagerPlugin and updated the patch to implement the permissions of ticket #1902 (ACCOUNTMANAGER_CONFIG and and ACCOUNTMANAGER_USERS).

Using the new patch you could close the following tickets: #1902, #2196, #3726, #5830 and #7700 (obviously).

Changed 6 years ago by sto

Patch redone using ticket #1902 permission names

comment:2 Changed 6 years ago by hasienda

  • Cc pacopablo added; anonymous removed
  • Keywords permission separation added
  • Priority changed from normal to high
  • Severity changed from normal to major
  • Summary changed from [Patch] Allow user management without having the TRAC_ADMIN permission to [Patch] Allow user management without having TRAC_ADMIN permission

Nice, but without allowing the current maintainer to get noticed of it, you'll not see much progress.

Let's raise priority, since this is able to close some more tickets as advised in previous comment.

comment:3 Changed 6 years ago by hasienda

  • Owner changed from mgood to hasienda

Got maintainership, so I'll try to take care now on my own.

I like the idea in general, but would like to introduce a slightly different view on permissions. I think it is reasonable to assume, that responsibility for notification settings could be bundled with basic settings in one application and with user administration in another one. To allow for this we'll need not 2 but 3 different permissions. OTOH denying user administration, if someone got power to fiddle with the authentication backend is odd would be kind of notification admin on it's own. We should have a permission cascade with inheritance intuitively guessable like this:

  • ACCTMGR_USER_ADMIN just to manage user accounts alone (users)
  • ACCTMGR_CHG_NOTIFY has notification settings (notification) in addition to user management
  • ACCTMGR_ADMIN inherits all including basic settings (config)
  • TRAC_ADMIN of course inherits everything as usual

comment:4 Changed 6 years ago by hasienda

  • Resolution set to fixed
  • Status changed from new to closed

(In [9280]) AccountManagerPlugin: Allow acctmgr administration for non-TRAC_ADMINs, closes #3726 and #7700.

With dedicated AccountManagerPlugin permissions now you could not only delegate AccountManager administration to users without granting them TRAC_ADMIN, but even differentiate access policy within these settings (closes #1902 as well):

  • ACCTMGR_CONFIG_ADMIN - for /config and /notification
  • ACCTMGR_USER_ADMIN - for /users
  • ACCTMGR_ADMIN - inheriting all without requiring TRAC_ADMIN

comment:5 Changed 4 years ago by hasienda

(In [11927]) AccountManagerPlugin: Consolidate plugin permissions, refs #7700.

Central definition in the AccountManager module is not only more straight-forward, now actions are guaranteed to exist even with admin panels disabled.

As a side-effect this fixes irritating ACCTMGR_USER_ADMIN duplicate entries in the permission select box as seen i.e. in Trac 0.11.

Added unit test to ensure this works expectedly, and added a more intuitive inheritance of EMAIL_VIEW by ACCTMGR_USER_ADMIN too, that was missing because of wrong syntax in AccountManagerAdminPanels.get_permission_actions before.

comment:6 Changed 4 years ago by hasienda

(In [12134]) AccountManagerPlugin: Add acct_mgr/tests/ that I forgot in [11927], refs #7700.

Add Comment

Modify Ticket

as closed The owner will remain hasienda.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.