Changes between Version 1 and Version 2 of Trac Permissions

Timestamp:

May 10, 2020, 8:14:28 PM (4 years ago)

Author:

trac

Comment:

—

Trac Permissions

@@ -45 +45 @@
 || `TICKET_VIEW` || View existing [TracTickets tickets] and perform [TracQuery ticket queries] ||
 || `TICKET_CREATE` || Create new [TracTickets tickets] ||
-|| `TICKET_APPEND` || Add comments or attachments to [TracTickets tickets] ||
-|| `TICKET_CHGPROP` || Modify [TracTickets ticket] properties (priority, assignment, keywords, etc.) with the following exceptions: edit description field, add/remove other users from cc field when logged in ||
+|| `TICKET_APPEND` || Add comments and attachments to [TracTickets tickets], and edit description of ticket the user created ||
+|| `TICKET_CHGPROP` || Modify [TracTickets ticket] properties (priority, assignment, keywords, etc.) with the following exceptions: edit description of tickets created by others, add/remove other users from cc field when logged in ||
 || `TICKET_MODIFY` || Includes both `TICKET_APPEND` and `TICKET_CHGPROP`, and in addition allows resolving [TracTickets tickets] in the [TracWorkflow default workflow]. Tickets can be assigned to users through a [TracTickets#Assign-toasDrop-DownList drop-down list] when the list of possible owners has been restricted. ||
 || `TICKET_EDIT_CC` || Full modify cc field ||
-|| `TICKET_EDIT_DESCRIPTION` || Modify description field ||
+|| `TICKET_EDIT_DESCRIPTION` || Modify description field. User with `TICKET_APPEND` or `TICKET_CHGPROP` can modify description of ticket they created. ||
 || `TICKET_EDIT_COMMENT` || Modify another user's comments. Any user can modify their own comments by default. ||
 || `TICKET_BATCH_MODIFY` || [TracBatchModify Batch modify] tickets ||
@@ -94 +94 @@
 || `CONFIG_VIEW` || Enables additional sections on ''About Trac'' that show the current configuration and the list of installed plugins ||
 || `EMAIL_VIEW` || Shows email addresses even if [TracIni#trac-section trac show_email_addresses] configuration option is false ||
+
+== Attachment Permissions
+
+Attachment permissions are handled by `LegacyAttachmentPolicy`, and unlike the permissions discussed so far, the permissions provided by `LegacyAttachmentPolicy` are not directly granted. Rather, the ability to create, view and delete attachments is determined by the attachment's parent realm and permissions the user possesses for that realm.
+
+The attachment actions are determined by the following
+permissions in the ticket, wiki and milestone realms:
+{{{#!table class="listing"
+||= Granted By: =||= Ticket =||= Wiki =||= Milestone =||
+|| `ATTACHMENT_CREATE` || `TICKET_APPEND` || `WIKI_MODIFY` || `MILESTONE_MODIFY` ||
+|| `ATTACHMENT_VIEW` || `TICKET_VIEW` || `WIKI_VIEW` || `MILESTONE_VIEW` ||
+|| `ATTACHMENT_DELETE` || `TICKET_ADMIN` || `WIKI_DELETE` || `MILESTONE_DELETE` ||
+}}}
+
+If explicit attachment permissions are preferred, `ATTACHMENT_CREATE`, `ATTACHMENT_DELETE` and `ATTACHMENT_VIEW` can be created using the [trac:ExtraPermissionsProvider]. The simplest implementation is to simply define the actions.
+{{{#!ini
+[extra-permissions]
+_perms = ATTACHMENT_CREATE, ATTACHMENT_DELETE, ATTACHMENT_VIEW
+}}}
+
+An alternative configuration adds an `ATTACHMENT_ADMIN` meta-permission that grants the other 3 permission.
+{{{#!ini
+[extra-permissions]
+ATTACHMENT_ADMIN = ATTACHMENT_CREATE, ATTACHMENT_DELETE, ATTACHMENT_VIEW
+}}}
+
+The explicit permissions can be used in concert with `LegacyAttachmentPolicy`, or `LegacyAttachmentPolicy` can be removed from `permission_policies`, in which case only users that have been explicitly granted the corresponding attachment actions will be able to create, delete and view attachments.
 
 == Granting Privileges