Changes between Version 8 and Version 9 of TracPermissions

Timestamp:

Sep 10, 2020, 8:03:21 PM (4 years ago)

Author:

trac

Comment:

--

TracPermissions

@@ -6 +6 @@
 Permissions are managed using the [TracAdmin trac-admin] tool or the ''General / Permissions'' panel in the ''Admin'' tab of the web interface.
 
-In addition to the default permission policy described in this page, it is possible to activate additional permission policies by enabling [TracPlugins plugins] and listing them in [TracIni#trac-permission_policies-option "[trac] permission_policies"]. See TracFineGrainedPermissions for more details.
+In addition to the default permission policy described in this page, it is possible to activate additional permission policies by enabling plugins and listing them in [TracIni#trac-permission_policies-option "[trac] permission_policies"]. See TracFineGrainedPermissions for more details.
 
 Non-authenticated users accessing the system are assigned the name //anonymous//. Assign permissions to the //anonymous// user to set privileges for anonymous/guest users. The parts of Trac that a user does not have privilege for will not be displayed in the navigation.
@@ -45 +45 @@
 || `TICKET_VIEW` || View existing [TracTickets tickets] and perform [TracQuery ticket queries] ||
 || `TICKET_CREATE` || Create new [TracTickets tickets] ||
-|| `TICKET_APPEND` || Add comments or attachments to [TracTickets tickets] ||
-|| `TICKET_CHGPROP` || Modify [TracTickets ticket] properties (priority, assignment, keywords, etc.) with the following exceptions: edit description field, add/remove other users from cc field when logged in ||
+|| `TICKET_APPEND` || Add comments and attachments to [TracTickets tickets], and edit description of ticket the user created ||
+|| `TICKET_CHGPROP` || Modify [TracTickets ticket] properties (priority, assignment, keywords, etc.) with the following exceptions: edit description of tickets created by others, add/remove other users from cc field when logged in ||
 || `TICKET_MODIFY` || Includes both `TICKET_APPEND` and `TICKET_CHGPROP`, and in addition allows resolving [TracTickets tickets] in the [TracWorkflow default workflow]. Tickets can be assigned to users through a [TracTickets#Assign-toasDrop-DownList drop-down list] when the list of possible owners has been restricted. ||
 || `TICKET_EDIT_CC` || Full modify cc field ||
-|| `TICKET_EDIT_DESCRIPTION` || Modify description field ||
+|| `TICKET_EDIT_DESCRIPTION` || Modify description field. User with `TICKET_APPEND` or `TICKET_CHGPROP` can modify description of ticket they created. ||
 || `TICKET_EDIT_COMMENT` || Modify another user's comments. Any user can modify their own comments by default. ||
 || `TICKET_BATCH_MODIFY` || [TracBatchModify Batch modify] tickets ||
@@ -95 +95 @@
 || `EMAIL_VIEW` || Shows email addresses even if [TracIni#trac-section trac show_email_addresses] configuration option is false ||
 
+== Attachment Permissions
+
+Attachment permissions are handled by `LegacyAttachmentPolicy`, and unlike the permissions discussed so far, the permissions provided by `LegacyAttachmentPolicy` are not directly granted. Rather, the ability to create, view and delete attachments is determined by the attachment's parent realm and permissions the user possesses for that realm.
+
+The attachment actions are determined by the following
+permissions in the ticket, wiki and milestone realms:
+{{{#!table class="listing"
+||= Granted By: =||= Ticket =||= Wiki =||= Milestone =||
+|| `ATTACHMENT_CREATE` || `TICKET_APPEND` || `WIKI_MODIFY` || `MILESTONE_MODIFY` ||
+|| `ATTACHMENT_VIEW` || `TICKET_VIEW` || `WIKI_VIEW` || `MILESTONE_VIEW` ||
+|| `ATTACHMENT_DELETE` || `TICKET_ADMIN` || `WIKI_DELETE` || `MILESTONE_DELETE` ||
+}}}
+
+An authenticated user can delete an attachment //they added// without possessing the permission
+that grants `ATTACHMENT_DELETE`.
+
+If explicit attachment permissions are preferred, `ATTACHMENT_CREATE`, `ATTACHMENT_DELETE` and `ATTACHMENT_VIEW` can be created using the [trac:ExtraPermissionsProvider]. The simplest implementation is to simply define the actions.
+{{{#!ini
+[extra-permissions]
+_perms = ATTACHMENT_CREATE, ATTACHMENT_DELETE, ATTACHMENT_VIEW
+}}}
+
+An alternative configuration adds an `ATTACHMENT_ADMIN` meta-permission that grants the other 3 permission.
+{{{#!ini
+[extra-permissions]
+ATTACHMENT_ADMIN = ATTACHMENT_CREATE, ATTACHMENT_DELETE, ATTACHMENT_VIEW
+}}}
+
+The explicit permissions can be used in concert with `LegacyAttachmentPolicy`, or `LegacyAttachmentPolicy` can be removed from `permission_policies`, in which case only users that have been explicitly granted the corresponding attachment actions will be able to create, delete and view attachments.
+
 == Granting Privileges
 
@@ -179 +209 @@
 //**anonymous**//
 {{{
-BROWSER_VIEW 
-CHANGESET_VIEW 
-FILE_VIEW 
-LOG_VIEW 
-MILESTONE_VIEW 
-REPORT_SQL_VIEW 
-REPORT_VIEW 
-ROADMAP_VIEW 
-SEARCH_VIEW 
-TICKET_VIEW 
+BROWSER_VIEW
+CHANGESET_VIEW
+FILE_VIEW
+LOG_VIEW
+MILESTONE_VIEW
+REPORT_SQL_VIEW
+REPORT_VIEW
+ROADMAP_VIEW
+SEARCH_VIEW
+TICKET_VIEW
 TIMELINE_VIEW
 WIKI_VIEW
@@ -195 +225 @@
 //**authenticated**//
 {{{
-TICKET_CREATE 
-TICKET_MODIFY 
-WIKI_CREATE 
-WIKI_MODIFY  
+TICKET_CREATE
+TICKET_MODIFY
+WIKI_CREATE
+WIKI_MODIFY
 }}}
 ----