Changes between Version 1 and Version 2 of TracPermissions

Timestamp:

12/24/20 01:28:03 (4 years ago)

Author:

trac

Comment:

--

TracPermissions

@@ -13 +13 @@
 == Graphical Admin Tab
 
-To access this tab, a user must have one of the following permissions: `TRAC_ADMIN`, `PERMISSION_ADMIN`, `PERMISSION_GRANT`, `PERMISSION_REVOKE`. The permissions can be granted using the `trac-admin` command (more on `trac-admin` below):
+To access this tab, a user must have one of the following permissions: `TRAC_ADMIN`, `PERMISSION_ADMIN`, `PERMISSION_GRANT`, `PERMISSION_REVOKE`. The permissions can be granted using the `trac-admin` command with a more detailed description [#GrantingPrivileges below]:
 {{{#!sh
 $ trac-admin /path/to/projenv permission add bob TRAC_ADMIN
@@ -30 +30 @@
 == Available Privileges
 
-To enable all privileges for a user, use the `TRAC_ADMIN` permission. Having `TRAC_ADMIN` is like being `root` on a *NIX system: it will allow you to perform any operation.
-
-Otherwise, individual privileges can be assigned to users for the various different functional areas of Trac ('''note that the privilege names are case-sensitive'''):
+To enable all privileges for a user, use the `TRAC_ADMIN` permission. This permission is like being `root` on a *NIX system: it will allow you to perform any operation.
+
+Otherwise, individual privileges can be assigned to users for the different functional areas of Trac and '''note that the privilege names are uppercase''':
 
 === Repository Browser
@@ -45 +45 @@
 || `TICKET_VIEW` || View existing [TracTickets tickets] and perform [TracQuery ticket queries] ||
 || `TICKET_CREATE` || Create new [TracTickets tickets] ||
-|| `TICKET_APPEND` || Add comments or attachments to [TracTickets tickets] ||
-|| `TICKET_CHGPROP` || Modify [TracTickets ticket] properties (priority, assignment, keywords, etc.) with the following exceptions: edit description field, add/remove other users from cc field when logged in ||
+|| `TICKET_APPEND` || Add comments and attachments to [TracTickets tickets], and edit description of ticket the user created ||
+|| `TICKET_CHGPROP` || Modify [TracTickets ticket] properties (priority, assignment, keywords, etc.) with the following exceptions: edit description of tickets created by others, add/remove other users from cc field when logged in ||
 || `TICKET_MODIFY` || Includes both `TICKET_APPEND` and `TICKET_CHGPROP`, and in addition allows resolving [TracTickets tickets] in the [TracWorkflow default workflow]. Tickets can be assigned to users through a [TracTickets#Assign-toasDrop-DownList drop-down list] when the list of possible owners has been restricted. ||
 || `TICKET_EDIT_CC` || Full modify cc field ||
-|| `TICKET_EDIT_DESCRIPTION` || Modify description field ||
+|| `TICKET_EDIT_DESCRIPTION` || Modify description field. User with `TICKET_APPEND` or `TICKET_CHGPROP` can modify description of ticket they created. ||
 || `TICKET_EDIT_COMMENT` || Modify another user's comments. Any user can modify their own comments by default. ||
 || `TICKET_BATCH_MODIFY` || [TracBatchModify Batch modify] tickets ||
-|| `TICKET_ADMIN` || All `TICKET_*` permissions, deletion of ticket attachments and modification of the reporter field, which grants ability to create a ticket on behalf of another user (it will appear that another user created the ticket). It also allows managing ticket properties through the web administration module. ||
+|| `TICKET_ADMIN` || All `TICKET_*` permissions, deletion of ticket attachments and modification of the reporter field, which grants ability to create a ticket on behalf of another user and it will appear that another user created the ticket. It also allows managing ticket properties through the web administration module. ||
 
 === Roadmap
@@ -95 +95 @@
 || `EMAIL_VIEW` || Shows email addresses even if [TracIni#trac-section trac show_email_addresses] configuration option is false ||
 
+== Attachment Permissions
+
+Attachment permissions are handled by `LegacyAttachmentPolicy`, and unlike the permissions discussed so far, the permissions provided by `LegacyAttachmentPolicy` are not directly granted. Rather, the ability to create, view and delete attachments is determined by the attachment's parent realm and permissions the user possesses for that realm.
+
+The attachment actions are determined by the following
+permissions in the ticket, wiki and milestone realms:
+{{{#!table class="listing"
+||= Granted By: =||= Ticket =||= Wiki =||= Milestone =||
+|| `ATTACHMENT_CREATE` || `TICKET_APPEND` || `WIKI_MODIFY` || `MILESTONE_MODIFY` ||
+|| `ATTACHMENT_VIEW` || `TICKET_VIEW` || `WIKI_VIEW` || `MILESTONE_VIEW` ||
+|| `ATTACHMENT_DELETE` || `TICKET_ADMIN` || `WIKI_DELETE` || `MILESTONE_DELETE` ||
+}}}
+
+An authenticated user can delete an attachment //they added// without possessing the permission
+that grants `ATTACHMENT_DELETE`.
+
+If explicit attachment permissions are preferred, `ATTACHMENT_CREATE`, `ATTACHMENT_DELETE` and `ATTACHMENT_VIEW` can be created using the [trac:ExtraPermissionsProvider]. The simplest implementation is to simply define the actions.
+{{{#!ini
+[extra-permissions]
+_perms = ATTACHMENT_CREATE, ATTACHMENT_DELETE, ATTACHMENT_VIEW
+}}}
+
+An alternative configuration adds an `ATTACHMENT_ADMIN` meta-permission that grants the other 3 permission.
+{{{#!ini
+[extra-permissions]
+ATTACHMENT_ADMIN = ATTACHMENT_CREATE, ATTACHMENT_DELETE, ATTACHMENT_VIEW
+}}}
+
+The explicit permissions can be used in concert with `LegacyAttachmentPolicy`, or `LegacyAttachmentPolicy` can be removed from `permission_policies`, in which case only users that have been explicitly granted the corresponding attachment actions will be able to create, delete and view attachments.
+
 == Granting Privileges
 
@@ -123 +153 @@
 Any user who has logged in is also in the //authenticated// group.
 The //authenticated// group inherits permissions from the //anonymous// group.
-For example, if the //anonymous// group has permission WIKI_MODIFY, 
-it is not necessary to add the WIKI_MODIFY permission to the //authenticated// group as well.
+For example, if the //anonymous// group has permission WIKI_MODIFY, it is not necessary to add the WIKI_MODIFY permission to the //authenticated// group as well.
 
 Custom groups may be defined that inherit permissions from the two built-in groups.
@@ -142 +171 @@
 Permission groups can be created by assigning a user to a group you wish to create, then assign permissions to that group.
 
-The following will add ''bob'' to the new group called ''beta_testers'' and then will assign WIKI_ADMIN permissions to that group. (Thus, ''bob'' will inherit the WIKI_ADMIN permission)
+The following will add ''bob'' to the new group called ''beta_testers'' and then will assign `WIKI_ADMIN` permissions to that group. Thus, ''bob'' will inherit the `WIKI_ADMIN` permission.
 {{{#!sh
 $ trac-admin /path/to/projenv permission add bob beta_testers
@@ -150 +179 @@
 == Removing Permissions
 
-Permissions can be removed using the 'remove' command. For example:
+Permissions can be removed using the 'remove' command.
 
 This command will prevent the user ''bob'' from deleting reports:
@@ -180 +209 @@
 //**anonymous**//
 {{{
-BROWSER_VIEW 
-CHANGESET_VIEW 
-FILE_VIEW 
-LOG_VIEW 
-MILESTONE_VIEW 
-REPORT_SQL_VIEW 
-REPORT_VIEW 
-ROADMAP_VIEW 
-SEARCH_VIEW 
-TICKET_VIEW 
+BROWSER_VIEW
+CHANGESET_VIEW
+FILE_VIEW
+LOG_VIEW
+MILESTONE_VIEW
+REPORT_SQL_VIEW
+REPORT_VIEW
+ROADMAP_VIEW
+SEARCH_VIEW
+TICKET_VIEW
 TIMELINE_VIEW
 WIKI_VIEW
@@ -196 +225 @@
 //**authenticated**//
 {{{
-TICKET_CREATE 
-TICKET_MODIFY 
-WIKI_CREATE 
-WIKI_MODIFY  
+TICKET_CREATE
+TICKET_MODIFY
+WIKI_CREATE
+WIKI_MODIFY
 }}}
 ----