
cmlenz@39: = Trac Permissions =
cmlenz@39: [[TracGuideToc]]
cmlenz@39: 
cmlenz@39: Trac uses a simple but flexible permission system to control what users can and can't access.
cmlenz@39: 
cmlenz@39: Permission privileges are managed using the [wiki:TracAdmin trac-admin] tool.
cmlenz@39: 
cmlenz@39: Regular visitors, non-authenticated users, accessing the system are assigned the default 
cmlenz@39: role (''user'') named {{{anonymous}}}. 
cmlenz@39: Assign permissions to the {{{anonymous}}} user to set privileges for non-authenticated/guest users.
cmlenz@39: 
cmlenz@39: In addition to these privileges users can be granted additional individual 
cmlenz@39: rights in effect when authenticated and logged into the system.
cmlenz@39: 
cmlenz@39: == Available Privileges ==
cmlenz@39: 
cmlenz@39: To enable all privileges for a user, use the `TRAC_ADMIN` permission. Having `TRAC_ADMIN` is like being `root` on a *NIX system, it will let you do anything you want.
cmlenz@39: 
cmlenz@39: Otherwise, individual privileges can be assigned to users for the various different functional areas of Trac:
cmlenz@39: 
cmlenz@39: === Repository Browser ===
cmlenz@39: 
cmlenz@39: || `BROWSER_VIEW` || View directory listings in the [wiki:TracBrowser repository browser] ||
cmlenz@39: || `LOG_VIEW` || View revision logs of files and directories in the [wiki:TracBrowser repository browser] ||
cmlenz@39: || `FILE_VIEW` || View files in the [wiki:TracBrowser repository browser] ||
cmlenz@39: || `CHANGESET_VIEW` || View [wiki:TracChangeset repository check-ins] ||
cmlenz@39: 
cmlenz@39: === Ticket System ===
cmlenz@39: 
cmlenz@39: || `TICKET_VIEW` || View existing [wiki:TracTickets tickets] and perform [wiki:TracQuery ticket queries] ||
cmlenz@39: || `TICKET_CREATE` || Create new [wiki:TracTickets tickets] ||
cmlenz@39: || `TICKET_APPEND` || Add comments or attachments to [wiki:TracTickets tickets] ||
cmlenz@39: || `TICKET_CHGPROP` || Modify [wiki:TracTickets ticket] properties ||
cmlenz@39: || `TICKET_MODIFY` || Includes both `TICKET_APPEND` and `TICKET_CHGPROP`, and in addition allows resolving [wiki:TracTickets tickets] ||
cmlenz@39: || `TICKET_ADMIN` || All `TICKET_*` permissions, plus the deletion of ticket attachments. ||
cmlenz@39: 
cmlenz@39: === Roadmap ===
cmlenz@39: 
cmlenz@39: || `MILESTONE_VIEW` || View a milestone ||
cmlenz@39: || `MILESTONE_CREATE` || Create a new milestone ||
cmlenz@39: || `MILESTONE_MODIFY` || Modify existing milestones ||
cmlenz@39: || `MILESTONE_DELETE` || Delete milestones ||
cmlenz@39: || `MILESTONE_ADMIN` || All `MILESTONE_*` permissions ||
cmlenz@39: || `ROADMAP_VIEW` || View the [wiki:TracRoadmap roadmap] page ||
cmlenz@39: || `ROADMAP_ADMIN` || Alias for `MILESTONE_ADMIN` (deprecated) ||
cmlenz@39: 
cmlenz@39: === Reports ===
cmlenz@39: 
cmlenz@39: || `REPORT_VIEW` || View [wiki:TracReports reports] ||
cmlenz@39: || `REPORT_SQL_VIEW` || View the underlying SQL query of a [wiki:TracReports report] ||
cmlenz@39: || `REPORT_CREATE` || Create new [wiki:TracReports reports] ||
cmlenz@39: || `REPORT_MODIFY` || Modify existing [wiki:TracReports reports] ||
cmlenz@39: || `REPORT_DELETE` || Delete [wiki:TracReports reports] ||
cmlenz@39: || `REPORT_ADMIN` || All `REPORT_*` permissions ||
cmlenz@39: 
cmlenz@39: === Wiki System ===
cmlenz@39: 
cmlenz@39: || `WIKI_VIEW` || View existing [wiki:TracWiki wiki] pages ||
cmlenz@39: || `WIKI_CREATE` || Create new [wiki:TracWiki wiki] pages ||
cmlenz@39: || `WIKI_MODIFY` || Change [wiki:TracWiki wiki] pages ||
cmlenz@39: || `WIKI_DELETE` || Delete [wiki:TracWiki wiki] pages and attachments ||
cmlenz@39: || `WIKI_ADMIN` || All `WIKI_*` permissions, plus the management of ''readonly'' pages. ||
cmlenz@39: 
cmlenz@39: === Others ===
cmlenz@39: 
cmlenz@39: || `TIMELINE_VIEW` || View the [wiki:TracTimeline timeline] page ||
cmlenz@39: || `SEARCH_VIEW` || View and execute [wiki:TracSearch search] queries ||
cmlenz@39: || `CONFIG_VIEW` || Enables additional pages on ''About Trac'' that show the current configuration or the list of installed plugins ||
cmlenz@39: 
cmlenz@39: == Granting Privileges ==
cmlenz@39: 
cmlenz@39: Currently the only way to grant privileges to users is by using the `trac-admin` script. The current set of privileges can be listed with the following command:
cmlenz@39: {{{
cmlenz@39:   $ trac-admin /path/to/projenv permission list
cmlenz@39: }}}
cmlenz@39: 
cmlenz@39: This command will allow the user ''bob'' to delete reports:
cmlenz@39: {{{
cmlenz@39:   $ trac-admin /path/to/projenv permission add bob REPORT_DELETE
cmlenz@39: }}}
cmlenz@39: 
cmlenz@39: == Permission Groups ==
cmlenz@39: 
cmlenz@39: Permissions can be grouped together to form roles such as ''developer'', ''admin'', etc.
cmlenz@39: {{{
cmlenz@39:   $ trac-admin /path/to/projenv permission add developer WIKI_ADMIN
cmlenz@39:   $ trac-admin /path/to/projenv permission add developer REPORT_ADMIN
cmlenz@39:   $ trac-admin /path/to/projenv permission add developer TICKET_MODIFY
cmlenz@39:   $ trac-admin /path/to/projenv permission add bob developer
cmlenz@39:   $ trac-admin /path/to/projenv permission add john developer
cmlenz@39: }}}
cmlenz@39: 
cmlenz@39: == Default Permissions ==
cmlenz@39: 
cmlenz@39: Granting privileges to the special user ''anonymous'' can be used to control what an anonymous user can do before they have logged in.
cmlenz@39: 
cmlenz@39: In the same way, privileges granted to the special user ''authenticated'' will apply to any authenticated (logged in) user.
cmlenz@39: 
cmlenz@39: ----
cmlenz@39: See also: TracAdmin, TracGuide