On Friday, September 13, 2019 at 4:17:40 PM UTC-7, RjOllos wrote: > > > > On Fri, Sep 13, 2019 at 4:44 AM Andreas <muffelm...@gmail.com> wrote: > >> Hello Ryan, >> >> thanks for your hint! >> I have activated AuthzPolicy on our Trac 1.2.2 environment and the >> following part is working as it should: >> >> [wiki:testwiki@*] >> >> testuser = WIKI_VIEW >> >> >> --> testuser can only see the "testwiki" page, nothing else >> >> >> I was wondering if the realm (?) for milestone would be "milestone", but >> it failed: >> >> >> >> [milestone:testmilestone@*] >> >> testuser = TICKET_CREATE, TICKET_MODIFY, TICKET_VIEW >> >> >> The testuser can still only see that one testwiki page, but cannot >> view/edit tickets with milestone "testmilestone". >> >> I'm pretty sure that the syntax / realm for milestone is wrong. Can you >> help me out here? >> >> >> Thank you! >> >> >> Best regards, >> >> Andreas >> > > Using realm 'milestone' will restrict access to a resource in the > milestone realm (/milestone). > > The ticket page is realm 'ticket'. > > To restrict tickets based on permission to view a milestone, you'll need > to implement a permission policy. First, restrict access to the milestone > using AuthzPolicy, and verify that you can view the milestone. For your > example, this will be /milestone/testmilestone, and testmilestone should be > visible on the Roadmap page. > > Then you need to implement IPermissionPolicy in a component, like the > examples described here: > https://trac.edgewall.org/wiki/CookBook/PermissionPolicies > > The logic in check_permission would be something like (untested): > > def check_permission(self, action, username, resource, perm): > if action == 'TICKET_VIEW' and \ > resource is not None and \ > resource.realm == 'ticket' and \ > resource.id is not None: > try: > ticket = Ticket(self.env, resource.id) > except ResourceNotFound: > pass > else: > if 'MILESTONE_VIEW' in req.perm('milestone', > ticket['milestone']): > return True > > - Ryan >
This policy is now documented in: https://trac.edgewall.org/wiki/CookBook/PermissionPolicies#RestrictTicketsPerMilestone - Ryan -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/f5e16d0b-31df-4623-bb4a-a27a1802fd59%40googlegroups.com.
