Changes between Version 9 and Version 10 of TracPermissions
- Timestamp:
- 22/02/2023 10:14:50 (21 months ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TracPermissions
v9 v10 8 8 In addition to the default permission policy described in this page, it is possible to activate additional permission policies by enabling plugins and listing them in [TracIni#trac-permission_policies-option "[trac] permission_policies"]. See TracFineGrainedPermissions for more details. 9 9 10 Non-authenticated users accessing the system are assigned the name //anonymous//. Assign permissions to the //anonymous// user to set privileges for anonymous/guest users. The parts of Trac that a user does not have privilege for will not be displayed in the navigation.10 Non-authenticated users accessing the system are assigned the name //anonymous//. Assign permissions to the //anonymous// user to set privileges for anonymous/guest users. The parts of Trac that a user does not have privileges for will not be displayed in the navigation bar. 11 11 In addition to these privileges, users can be granted additional individual rights in effect when authenticated and logged into the system. All logged in users belong to the virtual group //authenticated//, which inherits permissions from //anonymous//. 12 12 … … 18 18 }}} 19 19 20 Then, the user `bob` will be able to see the Admin tab, and can access the permissions menu. This menu will allow you to perform allthe following actions, but from the browser rather than requiring root access to the server. '''Use at least one lowercase character in user names, as all-uppercase names are reserved for permissions.'''20 Then, the user `bob` will be able to see the Admin tab, and can access the permissions menu. This menu allows you to perform the following actions, but from the browser rather than requiring root access to the server. '''Use at least one lowercase character in user names, as all-uppercase names are reserved for permissions.''' 21 21 22 22 [[Image(htdocs:../common/guide/admin.png)]] … … 30 30 == Available Privileges 31 31 32 To enable all privileges for a user, use the `TRAC_ADMIN` permission. This permission is like being `root` on a *NIX system: it will allow you to perform any operation .32 To enable all privileges for a user, use the `TRAC_ADMIN` permission. This permission is like being `root` on a *NIX system: it will allow you to perform any operation on Trac. 33 33 34 34 Otherwise, individual privileges can be assigned to users for the different functional areas of Trac and '''note that the privilege names are uppercase''': … … 45 45 || `TICKET_VIEW` || View existing [TracTickets tickets] and perform [TracQuery ticket queries] || 46 46 || `TICKET_CREATE` || Create new [TracTickets tickets] || 47 || `TICKET_APPEND` || Add comments and attachments to [TracTickets tickets], and edit description of ticket th e user created ||47 || `TICKET_APPEND` || Add comments and attachments to [TracTickets tickets], and edit description of ticket that the user created || 48 48 || `TICKET_CHGPROP` || Modify [TracTickets ticket] properties (priority, assignment, keywords, etc.) with the following exceptions: edit description of tickets created by others, add/remove other users from cc field when logged in || 49 49 || `TICKET_MODIFY` || Includes both `TICKET_APPEND` and `TICKET_CHGPROP`, and in addition allows resolving [TracTickets tickets] in the [TracWorkflow default workflow]. Tickets can be assigned to users through a [TracTickets#Assign-toasDrop-DownList drop-down list] when the list of possible owners has been restricted. || … … 62 62 || `MILESTONE_ADMIN` || All `MILESTONE_*` permissions || 63 63 || `ROADMAP_VIEW` || View the [TracRoadmap roadmap] page, which is not yet the same as MILESTONE_VIEW, see [trac:#4292 #4292] || 64 || `ROADMAP_ADMIN` || to be removed with [trac:#3022 #3022], replaced by MILESTONE_ADMIN ||64 || `ROADMAP_ADMIN` || To be removed with [trac:#3022 #3022], replaced by MILESTONE_ADMIN || 65 65 66 66 === Reports … … 97 97 == Attachment Permissions 98 98 99 Attachment permissions are handled by `LegacyAttachmentPolicy`, and unlike the permissions discussed so far, the permissions provided by `LegacyAttachmentPolicy` are not directly granted. Rather, the ability to create, view and delete attachments is determined by the attachment's parent realm and permissions the user possesses for that realm. 100 101 The attachment actions are determined by the following 102 permissions in the ticket, wiki and milestone realms: 99 Attachment permissions are handled by `LegacyAttachmentPolicy`, and unlike the permissions discussed so far, the permissions provided by `LegacyAttachmentPolicy` are not directly granted. Rather, the ability to create, view and delete attachments is determined by the attachment's parent realm and permissions that the user possesses for that realm. 100 101 The attachment actions are determined by the following permissions in the ticket, wiki and milestone realms: 103 102 {{{#!table class="listing" 104 103 ||= Granted By: =||= Ticket =||= Wiki =||= Milestone =|| … … 108 107 }}} 109 108 110 An authenticated user can delete an attachment //they added// without possessing the permission 111 that grants `ATTACHMENT_DELETE`. 112 113 If explicit attachment permissions are preferred, `ATTACHMENT_CREATE`, `ATTACHMENT_DELETE` and `ATTACHMENT_VIEW` can be created using the [trac:ExtraPermissionsProvider]. The simplest implementation is to simply define the actions. 109 An authenticated user can delete an attachment //they added// without possessing the permission that grants `ATTACHMENT_DELETE`. 110 111 If explicit attachment permissions are preferred, then `ATTACHMENT_CREATE`, `ATTACHMENT_DELETE` and `ATTACHMENT_VIEW` can be created using the [trac:ExtraPermissionsProvider]. The simplest implementation is to simply define the actions: 114 112 {{{#!ini 115 113 [extra-permissions] … … 117 115 }}} 118 116 119 An alternative configuration adds an `ATTACHMENT_ADMIN` meta-permission that grants the other 3 permission .117 An alternative configuration adds an `ATTACHMENT_ADMIN` meta-permission that grants the other 3 permissions: 120 118 {{{#!ini 121 119 [extra-permissions] … … 123 121 }}} 124 122 125 The explicit permissions can be used in con certwith `LegacyAttachmentPolicy`, or `LegacyAttachmentPolicy` can be removed from `permission_policies`, in which case only users that have been explicitly granted the corresponding attachment actions will be able to create, delete and view attachments.123 The explicit permissions can be used in conjunction with `LegacyAttachmentPolicy`, or `LegacyAttachmentPolicy` can be removed from `permission_policies`, in which case only users that have been explicitly granted the corresponding attachment actions will be able to create, delete and view attachments. 126 124 127 125 == Granting Privileges 128 126 129 You grant privileges to users using[TracAdmin trac-admin]. The current set of privileges can be listed with the following command:127 Privileges are granted to users through [TracAdmin trac-admin]. The current set of privileges can be listed with the following command: 130 128 {{{#!sh 131 129 $ trac-admin /path/to/projenv permission list … … 153 151 Any user who has logged in is also in the //authenticated// group. 154 152 The //authenticated// group inherits permissions from the //anonymous// group. 155 For example, if the //anonymous// group has permission WIKI_MODIFY, it is not necessary to add the WIKI_MODIFYpermission to the //authenticated// group as well.153 For example, if the //anonymous// group has permission `WIKI_MODIFY`, it is not necessary to add the `WIKI_MODIFY` permission to the //authenticated// group as well. 156 154 157 155 Custom groups may be defined that inherit permissions from the two built-in groups. … … 169 167 170 168 == Adding a New Group and Permissions 169 171 170 Permission groups can be created by assigning a user to a group you wish to create, then assign permissions to that group. 172 171 … … 204 203 == Default Permissions 205 204 206 By default on a new Trac installation, the //anonymous// user will have ''view'' access to everything in Trac, but will not beable to create or modify anything.207 On the other hand, the //authenticated// users will havethe permissions to ''create and modify tickets and wiki pages''.205 By default on a new Trac installation, the //anonymous// user has ''view'' access to everything in Trac, but is not able to create or modify anything. 206 The //authenticated// user has the permissions to ''create and modify tickets and wiki pages''. 208 207 209 208 //**anonymous**// … … 230 229 WIKI_MODIFY 231 230 }}} 231 232 232 ---- 233 233 See also: TracAdmin, TracFineGrainedPermissions