| 1 | = Trac Permissions = |
| 2 | [[TracGuideToc]] |
| 3 | |
| 4 | Trac uses a simple but flexible permission system to control what users can and can't access. |
| 5 | |
| 6 | Permission privileges are managed using the [wiki:TracAdmin trac-admin] tool. |
| 7 | |
| 8 | Regular visitors, non-authenticated users, accessing the system are assigned the default |
| 9 | role (''user'') named {{{anonymous}}}. |
| 10 | Assign permissions to the {{{anonymous}}} user to set privileges for non-authenticated/guest users. |
| 11 | |
| 12 | In addition to these privileges users can be granted additional individual |
| 13 | rights in effect when authenticated and logged into the system. |
| 14 | |
| 15 | == Available Privileges == |
| 16 | |
| 17 | To enable all privileges for a user, use the `TRAC_ADMIN` permission. Having `TRAC_ADMIN` is like being `root` on a *NIX system, it will let you do anything you want. |
| 18 | |
| 19 | Otherwise, individual privileges can be assigned to users for the various different functional areas of Trac: |
| 20 | |
| 21 | === Repository Browser === |
| 22 | |
| 23 | || `BROWSER_VIEW` || View directory listings in the [wiki:TracBrowser repository browser] || |
| 24 | || `LOG_VIEW` || View revision logs of files and directories in the [wiki:TracBrowser repository browser] || |
| 25 | || `FILE_VIEW` || View files in the [wiki:TracBrowser repository browser] || |
| 26 | || `CHANGESET_VIEW` || View [wiki:TracChangeset repository check-ins] || |
| 27 | |
| 28 | === Ticket System === |
| 29 | |
| 30 | || `TICKET_VIEW` || View existing [wiki:TracTickets tickets] and perform [wiki:TracQuery ticket queries] || |
| 31 | || `TICKET_CREATE` || Create new [wiki:TracTickets tickets] || |
| 32 | || `TICKET_APPEND` || Add comments or attachments to [wiki:TracTickets tickets] || |
| 33 | || `TICKET_CHGPROP` || Modify [wiki:TracTickets ticket] properties || |
| 34 | || `TICKET_MODIFY` || Includes both `TICKET_APPEND` and `TICKET_CHGPROP`, and in addition allows resolving [wiki:TracTickets tickets] || |
| 35 | || `TICKET_ADMIN` || All `TICKET_*` permissions, plus the deletion of ticket attachments. || |
| 36 | |
| 37 | === Roadmap === |
| 38 | |
| 39 | || `MILESTONE_VIEW` || View a milestone || |
| 40 | || `MILESTONE_CREATE` || Create a new milestone || |
| 41 | || `MILESTONE_MODIFY` || Modify existing milestones || |
| 42 | || `MILESTONE_DELETE` || Delete milestones || |
| 43 | || `MILESTONE_ADMIN` || All `MILESTONE_*` permissions || |
| 44 | || `ROADMAP_VIEW` || View the [wiki:TracRoadmap roadmap] page || |
| 45 | || `ROADMAP_ADMIN` || Alias for `MILESTONE_ADMIN` (deprecated) || |
| 46 | |
| 47 | === Reports === |
| 48 | |
| 49 | || `REPORT_VIEW` || View [wiki:TracReports reports] || |
| 50 | || `REPORT_SQL_VIEW` || View the underlying SQL query of a [wiki:TracReports report] || |
| 51 | || `REPORT_CREATE` || Create new [wiki:TracReports reports] || |
| 52 | || `REPORT_MODIFY` || Modify existing [wiki:TracReports reports] || |
| 53 | || `REPORT_DELETE` || Delete [wiki:TracReports reports] || |
| 54 | || `REPORT_ADMIN` || All `REPORT_*` permissions || |
| 55 | |
| 56 | === Wiki System === |
| 57 | |
| 58 | || `WIKI_VIEW` || View existing [wiki:TracWiki wiki] pages || |
| 59 | || `WIKI_CREATE` || Create new [wiki:TracWiki wiki] pages || |
| 60 | || `WIKI_MODIFY` || Change [wiki:TracWiki wiki] pages || |
| 61 | || `WIKI_DELETE` || Delete [wiki:TracWiki wiki] pages and attachments || |
| 62 | || `WIKI_ADMIN` || All `WIKI_*` permissions, plus the management of ''readonly'' pages. || |
| 63 | |
| 64 | === Others === |
| 65 | |
| 66 | || `TIMELINE_VIEW` || View the [wiki:TracTimeline timeline] page || |
| 67 | || `SEARCH_VIEW` || View and execute [wiki:TracSearch search] queries || |
| 68 | || `CONFIG_VIEW` || Enables additional pages on ''About Trac'' that show the current configuration or the list of installed plugins || |
| 69 | |
| 70 | == Granting Privileges == |
| 71 | |
| 72 | Currently the only way to grant privileges to users is by using the `trac-admin` script. The current set of privileges can be listed with the following command: |
| 73 | {{{ |
| 74 | $ trac-admin /path/to/projenv permission list |
| 75 | }}} |
| 76 | |
| 77 | This command will allow the user ''bob'' to delete reports: |
| 78 | {{{ |
| 79 | $ trac-admin /path/to/projenv permission add bob REPORT_DELETE |
| 80 | }}} |
| 81 | |
| 82 | == Permission Groups == |
| 83 | |
| 84 | Permissions can be grouped together to form roles such as ''developer'', ''admin'', etc. |
| 85 | {{{ |
| 86 | $ trac-admin /path/to/projenv permission add developer WIKI_ADMIN |
| 87 | $ trac-admin /path/to/projenv permission add developer REPORT_ADMIN |
| 88 | $ trac-admin /path/to/projenv permission add developer TICKET_MODIFY |
| 89 | $ trac-admin /path/to/projenv permission add bob developer |
| 90 | $ trac-admin /path/to/projenv permission add john developer |
| 91 | }}} |
| 92 | |
| 93 | == Default Permissions == |
| 94 | |
| 95 | Granting privileges to the special user ''anonymous'' can be used to control what an anonymous user can do before they have logged in. |
| 96 | |
| 97 | In the same way, privileges granted to the special user ''authenticated'' will apply to any authenticated (logged in) user. |
| 98 | |
| 99 | ---- |
| 100 | See also: TracAdmin, TracGuide |