TracPermissions - Yagitalk - Trac

Trac Permissions

Trac uses a simple but flexible permission system to control what users can and can't access.

Permission privileges are managed using the trac-admin tool.

Regular visitors, non-authenticated users, accessing the system are assigned the default role (user) named anonymous. Assign permissions to the anonymous user to set privileges for non-authenticated/guest users.

In addition to these privileges users can be granted additional individual rights in effect when authenticated and logged into the system.

Available Privileges

To enable all privileges for a user, use the TRAC_ADMIN permission. Having TRAC_ADMIN is like being root on a *NIX system, it will let you do anything you want.

Otherwise, individual privileges can be assigned to users for the various different functional areas of Trac:

Repository Browser

BROWSER_VIEWView directory listings in the repository browser
LOG_VIEWView revision logs of files and directories in the repository browser
FILE_VIEWView files in the repository browser
CHANGESET_VIEWView repository check-ins

Ticket System

TICKET_VIEWView existing tickets and perform ticket queries
TICKET_CREATECreate new tickets
TICKET_APPENDAdd comments or attachments to tickets
TICKET_CHGPROPModify ticket properties
TICKET_MODIFYIncludes both TICKET_APPEND and TICKET_CHGPROP, and in addition allows resolving tickets
TICKET_ADMINAll TICKET_* permissions, plus the deletion of ticket attachments.

Roadmap

MILESTONE_VIEWView a milestone
MILESTONE_CREATECreate a new milestone
MILESTONE_MODIFYModify existing milestones
MILESTONE_DELETEDelete milestones
MILESTONE_ADMINAll MILESTONE_* permissions
ROADMAP_VIEWView the roadmap page
ROADMAP_ADMINAlias for MILESTONE_ADMIN (deprecated)

Reports

REPORT_VIEWView reports
REPORT_SQL_VIEWView the underlying SQL query of a report
REPORT_CREATECreate new reports
REPORT_MODIFYModify existing reports
REPORT_DELETEDelete reports
REPORT_ADMINAll REPORT_* permissions

Wiki System

WIKI_VIEWView existing wiki pages
WIKI_CREATECreate new wiki pages
WIKI_MODIFYChange wiki pages
WIKI_DELETEDelete wiki pages and attachments
WIKI_ADMINAll WIKI_* permissions, plus the management of readonly pages.

Others

TIMELINE_VIEWView the timeline page
SEARCH_VIEWView and execute search queries
CONFIG_VIEWEnables additional pages on About Trac that show the current configuration or the list of installed plugins

Granting Privileges

Currently the only way to grant privileges to users is by using the trac-admin script. The current set of privileges can be listed with the following command:

  $ trac-admin /path/to/projenv permission list

This command will allow the user bob to delete reports:

  $ trac-admin /path/to/projenv permission add bob REPORT_DELETE

Permission Groups

Permissions can be grouped together to form roles such as developer, admin, etc.

  $ trac-admin /path/to/projenv permission add developer WIKI_ADMIN
  $ trac-admin /path/to/projenv permission add developer REPORT_ADMIN
  $ trac-admin /path/to/projenv permission add developer TICKET_MODIFY
  $ trac-admin /path/to/projenv permission add bob developer
  $ trac-admin /path/to/projenv permission add john developer

Default Permissions

Granting privileges to the special user anonymous can be used to control what an anonymous user can do before they have logged in.

In the same way, privileges granted to the special user authenticated will apply to any authenticated (logged in) user.


See also: TracAdmin, TracGuide