Re: [Trac] SensitiveTicketsPlugin
On Friday, June 20, 2014 11:59:26 AM UTC-7, KateYoak wrote: > > I ran into a similar thing with BlackMagic plugin - the one that lets you > have field-level permissions. Wanted to grant access to financial fields to > the finance folk - but not the whole company. I am pondering whether it's > a good idea to just add a feature to trac to create a group of permissions > which are not available to TRAC_ADMIN > TRAC_ADMIN is like root on a Linux machine, so it doesn't make sense to restrict global TRAC_ADMIN from performing actions. If you were on a Linux machine and you wanted to give users some, but not all, superuser privileges you would use sudo/sudoers file. Similarly, TracFineGrainedPermissions are the mechanism you can use to grant TRAC_ADMIN for specific resources. It accomplishes the same thing you wish to accomplish by having a set of permissions not available to TRAC_ADMIN. The approach is different though in that you need to start thinking about which resources you want to allow a user to perform TRAC_ADMIN on. Some plugins may need modifications to properly support TracFineGrainedPermissions, for example: http://trac-hacks.org/ticket/11826 If you have trouble implementing it, just reply here with your configuration details and we can work through it. -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscr...@googlegroups.com. To post to this group, send email to trac-users@googlegroups.com. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
Re: [Trac] SensitiveTicketsPlugin
I ran into a similar thing with BlackMagic plugin - the one that lets you have field-level permissions. Wanted to grant access to financial fields to the finance folk - but not the whole company. I am pondering whether it's a good idea to just add a feature to trac to create a group of permissions which are not available to TRAC_ADMIN. On Wednesday, May 28, 2014 12:50:31 PM UTC-7, RjOllos wrote: > > On Wednesday, May 14, 2014 1:44:50 PM UTC-7, hasienda wrote: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 08.05.2014 11:50, russell gower wrote: >> > Hi, >> > I’m evaluating the SensitiveTicketsPlugin but I’ve hit a snag that may >> > prevent me from using it, basically we don’t want users with TRAC_ADMIN >> > privileges to see tickets marked as sensitive unless they would see >> them >> > if they didn’t have the TRAC_ADMIN privilege, is this possible? >> >> Sorry for the late response, but No, you cannot do that because of >> hard-coded TRAC_ADMIN behavior to inherit ANY action/permission defined >> on a Trac system. >> > > My approach would be to reconsider the users to which you are granting > TRAC_ADMIN. What actions do you wish those users to perform that requires > they have TRAC_ADMIN and why don't you trust those users to see some > tickets? > > Note that you can grant TRAC_ADMIN at the resource level using > TracFineGrainedPermissions. That would allow you to revoke the coarse > TRAC_ADMIN for those users that you don't wish to see the sensitive > tickets, and grant them TRAC_ADMIN for specific resources. > http://trac.edgewall.org/wiki/TracFineGrainedPermissions > > -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscr...@googlegroups.com. To post to this group, send email to trac-users@googlegroups.com. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
Re: [Trac] SensitiveTicketsPlugin
On Wednesday, May 14, 2014 1:44:50 PM UTC-7, hasienda wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 08.05.2014 11:50, russell gower wrote: > > Hi, > > I’m evaluating the SensitiveTicketsPlugin but I’ve hit a snag that may > > prevent me from using it, basically we don’t want users with TRAC_ADMIN > > privileges to see tickets marked as sensitive unless they would see them > > if they didn’t have the TRAC_ADMIN privilege, is this possible? > > Sorry for the late response, but No, you cannot do that because of > hard-coded TRAC_ADMIN behavior to inherit ANY action/permission defined > on a Trac system. > My approach would be to reconsider the users to which you are granting TRAC_ADMIN. What actions do you wish those users to perform that requires they have TRAC_ADMIN and why don't you trust those users to see some tickets? Note that you can grant TRAC_ADMIN at the resource level using TracFineGrainedPermissions. That would allow you to revoke the coarse TRAC_ADMIN for those users that you don't wish to see the sensitive tickets, and grant them TRAC_ADMIN for specific resources. http://trac.edgewall.org/wiki/TracFineGrainedPermissions -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscr...@googlegroups.com. To post to this group, send email to trac-users@googlegroups.com. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
Re: [Trac] SensitiveTicketsPlugin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08.05.2014 11:50, russell gower wrote: > Hi, > I’m evaluating the SensitiveTicketsPlugin but I’ve hit a snag that may > prevent me from using it, basically we don’t want users with TRAC_ADMIN > privileges to see tickets marked as sensitive unless they would see them > if they didn’t have the TRAC_ADMIN privilege, is this possible? Sorry for the late response, but No, you cannot do that because of hard-coded TRAC_ADMIN behavior to inherit ANY action/permission defined on a Trac system. If you really want to break admin privilege (reliably), IMO the only way is (strong) encryption. I meant to provide such methods by now [1], but unfortunately development is on hold already for too long. Steffen Hoffmann [1] http://trac-hacks.org/wiki/CryptoPlugin -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iEYEARECAAYFAlNz1b4ACgkQ31DJeiZFuHeeQwCeOYquetiNoxGkJsHSyUQVtIlB WIUAmwfw4XJti3xzR/p23M+O93sz2hXe =kjBZ -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscr...@googlegroups.com. To post to this group, send email to trac-users@googlegroups.com. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
[Trac] SensitiveTicketsPlugin
Hi, I’m evaluating the SensitiveTicketsPlugin but I’ve hit a snag that may prevent me from using it, basically we don’t want users with TRAC_ADMIN privileges to see tickets marked as sensitive unless they would see them if they didn’t have the TRAC_ADMIN privilege, is this possible? Regards Russell -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscr...@googlegroups.com. To post to this group, send email to trac-users@googlegroups.com. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
