Permission system

Nokia Developer Projects has a flexible and fine-grained permission system based on the standard Trac permission system. Groups are assigned specific permissions ("rights") to edit or modify parts of the infrastructure in the Permissions | Groups section of the Admin tab, and then users are added to one or more of these groups in the Permissions | Users section. There is no way to add a user to a project except by adding them to a group.

To make access control even easier you can set pre-defined permission configurations for Public and Private projects through the General | Basic Settings tab. These provide a set of standard groups that will suit the needs of the vast majority of projects. We cover these briefly in #Public and Private permission configurations.

Managing permissions

Groups are created in the Permissions | Group section of the Admin tab, as shown below. The centre of the page has the list of groups along with their permissions. On the right hand side are panels to add a permission to a group and to create a new group from a predefined template.

• To add a group, simply add a permission to a group that does not exist. Additional permissions can be added once the group is created.
• You can also create a group based on an existing template
• To remove groups or permissions, mark their associated checkboxs and then press "Remove selected groups or permissions".

The permissions you can assign to a group are defined in the #Permissions list below and the default TRAC user guide. Some of the permissions are lazy - granting a number of permissions at once. For example, DELETE grants permission to delete across all sections of the project while WIKI_DELETE only grants deletion rights for the wiki. In addition, a strong permission like DELETE grants all the weaker permissions like MODIFY and VIEW.

Managing users in groups

Users are added in the User | Groups section of the Admin tab, as shown below.

• To add a user to a group, go to the "Add user to group" section, select the group and enter their username. Then press "Add user".
• To move a user between groups, simply drag and drop
• To remove a user from a group, drag it into the "Remove user from project" section and then press "Save".

There are two special "users": anonymous and authenticated which you can specify (in the same way as any other username) in order to grant membership to a group of all users and all logged in users, respectively. WARNING! Projects with any anonymous rights are also listed for anonymous users. So giving this right makes your project visible.

To add many users at a time click the Add Users button in the "Add many users" section. The screen below is shown - just enter each username on its own line, select a group and then press Submit

Public and Private permission configurations

The screenshots for the group and user configurations shown above are for the default "Public project". The project first defines groups for the Project owner, Project members, Public contributors and Public viewers.

• Public viewers have permission to view the project and version control - by adding the anonymous user to this group we ensure that any user can see the project.
• Public contributors can create tickets and discussions. By adding the authenticated user to this group we ensure that any user logged in user can communicate with the project team. They can also request membership because they have the ALLOW_REQUEST_MEMBERSHIP right.
• Project members can additionally edit tickets and discussions, and submit to source control. Initially this group is empty, but administrators can add to it, and Public contributors can request to be added to it.
• Project owner has the TRAC_ADMIN permission, which grants all project rights. The creator of the project is added to this group.

A private project does not have the two "public" groups but is otherwise the same. This ensures that the project is not visible unless you are a member - the project owner needs to add new members as required

Permissions list

Nokia Projects adds the following permissions to the default TRAC privileges:

Privilege name	Purpose
ALLOW_REQUEST_MEMBERSHIP	Creates button on project UI to allow user to request membership
VERSION_CONTROL_VIEW	Read access to version control
VERSION_CONTROL	Read/Write? access to version control
WEBDAV	Read/Write? access to webdav storage
WEBDAV_VIEW	Access to view webdav
VIEW	All privileges ending _VIEW
MODIFY	All privileges ending _MODIFY or _VIEW
CREATE	All privileges ending _CREATE, _MODIFY or _VIEW
DELETE	All privileges ending _DELETE, _CREATE, _MODIFY or _VIEW. This grants all rights to view, edit and modify wiki, discussion boards and tickets.
XML_RPC	Access the XML (and JSON) RPC interface to Trac. This enabled plugin development, for example you can use it with the Eclipse+mylyn plugin.
ATTACHMENT_CREATE	Attach a file to wiki
DISCUSSION_ADMIN	Administrate discussions
DISCUSSION_ANNOUNCEAPPEND	Append comments to the announcement discussion board
DISCUSSION_ANNOUNCECREATE	Create announcements
DISCUSSION_APPEND	Add responses to any other discussion board
DISCUSSION_ATTACH	Attach files to a thread
DISCUSSION_MODERATE	Moderate (edit, alter) existing discussion boards
DISCUSSION_VIEW	View discussion boards
DOWNLOADS_ADD	Add files to download section of project
DOWNLOADS_ADMIN	Administrate the downloads section
DOWNLOADS_VIEW	View download files
PRIVATE_SUMMARY_VIEW	Allows users to view the summary page.

Many of the permissions combine a number of related permissions, making it easier to grant a set of rights in one go. For example, in most cases we're happy for a user that can delete tickets, to also be able to delete discussions and wiki pages. These "Lazy permissions" are explained below.

Note also that when we named the new permissions above we have used the normal Trac "_VIEW", "_CREATE" naming convention where possible. In some cases we've had to use meaningful alternatives like "APPEND" and "ATTACH".

Lazy permissions

There are some special rights that can be used to give several rights at the same time. These are DELETE, CREATE, MODIFY and VIEW. In trac many of the rights ends into these words and giving one of these gives all of those permissions. For example with VIEW you give all rights ending with _VIEW (WIKI_VIEW, MILESTONE_VIEW, TICKET_VIEW .. and so on).

Lazy rights inherits all the rights defined in the weaker levels in lazy rights. For example giving CREATE grants all rights ending with _CREATE, _MODIFY and _VIEW. To be able to modify, you should be able to view anyway. DELETE is the strongest in the set of lazy rights, granting almost all of the other view and modification rights. TRAC_ADMIN could also be seen as a lazy right. It gives all the rights that there is in a project.

Lazy rights saves some time but are not always suitable. You should still think what your groups need. For example if you want to give only TICKET_CREATE for a bigger set of users so that they can report bugs but not be able to view anything, you should define it normally. Also notice that some rights doesn't end with "lazy right" words. VERSION_CONTROL, VERSION_CONTROL_READ and WEBDAV for example. This just means that you need to remember add these rights normally when you need them.

FAQ

How can I keep my project private but still make it easier to join and discover?

The problem with a private configuration is that no one can find your project except by invitation. Its also possible that you want to share the results of your project (e.g. a featured download) without sharing your source code, tickets or discussion.

An easy solution is to create a group with PRIVATE_SUMMARY_VIEW and /or ALLOW_REQUEST_MEMBERSHIP, and assign the anonymous username. This makes it easy for developers to find out about your project and request membership, while still keeping the inner workings private.