How Can I Grant Modification Permission on Work Item creationDate?
We recently upgraded our application from RTC 3 to RTC 4. One of our plugins starting failing when trying to modify the creationDate field in work items. Looking at that attribute, I noticed that it was marked as read-only. I removed the read-only flag. Now some users were getting errors and others weren't when trying to save work items - "you don't have permission to perform the following actions: modify/creationDate".
Investigating roles and permissions, I could not find a 'creationDate' field listed in the "Permitted actions -> save work item -> modify work item" list (Team Config -> Permissions area). I did find 'createDate' and so granted all users permission to modify this field. However, the same users were still getting the same error when trying to save a work item. I discovered that the users that could modify this field, had full (blanket) modify permissions set for their role. I believe one of two situations exists here: 1) the 'createDate' field and 'creationDate' field are the same, but granting individual permission to modify it is not working 2) the 'creationDate' is a hidden field from a permissions point of view, and modification privileges are only granted if a user has blanket modify permission. I would suspect #2 as being more likely. Perhaps because it is a built-in field that is marked as read-only out of the box. I would prefer not to have to grant all the users blanket modify permission, so I am looking for a better solution here. Thanks, Chris |
Comments
I'm not sure what's going on here, but I'm responsible for the part of the Jazz framework that enforces permission checks and I can at least chime in that we don't support anything like #2.
I have been doing some further investigation and I can confirm that Chris's observation regarding blanket modify permissions is accurate.
If I grant all modify permissions on a work item, either at the high level or by selecting each individual attribute I do not see an error.
If I remove any individual attribute then the error is seen.
Looking at the difference in the configuration xml between these edits it is fairly substantial. When all attributes are selected as modifiable there is a single xml element granting permissions. When any attribute is not selected I see an entry for each individual attribute.
So whether the behaviour is intentional or not it is clearly present.
I can recreate this issue at will in a test server. What is even stranger is that the error manifests on the first save of a newly created work item. I have looked over our code many times now an we do not attept to modify the creation date in any way so I am at a complete loss as to why we have this issue.
UPDATE: If I manually edit the configuration xml to grant modify permission for creationDate the error is resolved.