Changes between Version 4 and Version 5 of TracFineGrainedPermissions
- Timestamp:
- Dec 29, 2024, 12:16:11 PM (3 weeks ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TracFineGrainedPermissions
v4 v5 11 11 == Permission Policies 12 12 13 A great diversity of permission policies can be implemented and Trac comes with a few examples. 13 A great diversity of permission policies can be implemented and Trac comes with a few examples. 14 14 15 15 The active policies are determined by a [TracIni#trac-permission_policies-option configuration setting]: … … 28 28 * !LegacyAttachmentPolicy uses the coarse-grained permissions to check permissions on attachments. 29 29 30 Among the optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See 31 [trac:source:branches/1.4-stable/tracopt/perm/authz_policy.py authz_policy.py] for details. 30 Among the optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See [trac:source:branches/1.4-stable/tracopt/perm/authz_policy.py authz_policy.py] for details. 32 31 33 32 Another permission policy [#AuthzSourcePolicy], uses the [http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html path-based authorization] defined by Subversion to enforce permissions on the version control system. … … 37 36 === !AuthzPolicy 38 37 ==== Configuration 39 * Put an empty conf file (`authzpolicy.conf`) in a secure location on the server, not readable by users other than the webuser. If the file contains non-ASCII characters, the UTF-8 encoding should be used. 38 39 * Put an empty conf file (`authzpolicy.conf`) in a secure location on the server, not readable by users other than the webuser. If the file contains non-ASCII characters, the UTF-8 encoding should be used. 40 40 * Update your `trac.ini`: 41 41 1. modify the [TracIni#trac-permission_policies-option permission_policies] option in the `[trac]` section: … … 61 61 A policy will return either `True`, `False` or `None` for a given permission check. `True` is returned if the policy explicitly grants the permission. `False` is returned if the policy explicitly denies the permission. `None` is returned if the policy is unable to either grant or deny the permission. 62 62 63 NOTE: Only if the return value is `None` will the ''next'' permission policy be consulted. If none of the policies explicitly grants the permission, the final result will be `False`, i.e. permission denied.63 '''Note''': Only if the return value is `None` will the ''next'' permission policy be consulted. If none of the policies explicitly grants the permission, the final result will be `False`, i.e. permission denied. 64 64 65 65 The `authzpolicy.conf` file is a `.ini` style configuration file: … … 94 94 * Sections are checked against the current Trac resource descriptor '''IN ORDER''' of appearance in the configuration file. '''ORDER IS CRITICAL'''. 95 95 96 * Once a section matches, the current username is matched against the keys (usernames) of the section, '''IN ORDER'''. 97 * If a key (username) is prefixed with a `@`, it is treated as a group. 96 * Once a section matches, the current username is matched against the keys (usernames) of the section, '''IN ORDER'''. 97 * If a key (username) is prefixed with a `@`, it is treated as a group. 98 98 * If a value (permission) is prefixed with a `!`, the permission is denied rather than granted. 99 99 100 100 The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules. 101 101 102 || '''Note:''' Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:#5648] for details about this missing feature. || 102 '''Note''': Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:#5648] for details about this missing feature. 103 103 104 104 For example, if the `authz_file` contains: … … 118 118 }}} 119 119 120 Then: 120 Then: 121 121 * All versions of WikiStart will be viewable by everybody, including anonymous 122 122 * !PrivatePage will be viewable only by john … … 172 172 john = BROWSER_VIEW, FILE_VIEW 173 173 174 # John has BROWSER_VIEW and FILE_VIEW access to all revisions of 'somefile' at trunk/src/some/location only 174 # John has BROWSER_VIEW and FILE_VIEW access to all revisions of 'somefile' at trunk/src/some/location only 175 175 [repository:test_repo@*/source:trunk/src/some/location/somefile@*] 176 176 john = BROWSER_VIEW, FILE_VIEW … … 184 184 185 185 ==== Missing Features 186 186 187 Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac:#9573], [trac:#5648]). Patches are partially available, see authz_policy.2.patch, part of [trac:ticket:6680 #6680]. 187 188 … … 199 200 [groups] 200 201 permission_level_1 = WIKI_VIEW, TICKET_VIEW 201 permission_level_2 202 permission_level_2 = permission_level_1, WIKI_MODIFY, TICKET_MODIFY 202 203 [*] 203 204 @team1 = permission_level_1 … … 206 207 }}} 207 208 208 === !AuthzSourcePolicy 209 210 `AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's `mod_authz_svn`. 209 === !AuthzSourcePolicy (`mod_authz_svn`-like permission policy) #AuthzSourcePolicy 210 211 `AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's `mod_authz_svn`. 211 212 More information about this file format and about its usage in Subversion is available in the [http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html Path-Based Authorization] section in the Server Configuration chapter of the svn book. 212 213 … … 251 252 ... 252 253 [repositories] 253 somemodule.dir = /srv/active/svn/somemodule 254 somemodule.dir = /srv/active/svn/somemodule 254 255 }}} 255 256 256 257 where the svn access file, {{{/path/to/svnaccessfile}}}, contains entries such as {{{[somemodule:/some/path]}}}. 257 258 258 '''Note:''' Usernames inside the Authz file __must__ be the same as those used inside trac. 259 '''Note:''' Usernames inside the Authz file __must__ be the same as those used inside trac. 259 260 260 261 Make sure you have ''!AuthzSourcePolicy'' included in the permission_policies list in trac.ini, otherwise the authz permissions file will be ignored. … … 319 320 320 321 == Debugging permissions 322 321 323 In trac.ini set: 322 324 {{{#!ini … … 336 338 ---- 337 339 See also: TracPermissions, 338 [http ://trac-hacks.org/wiki/FineGrainedPageAuthzEditorPlugin FineGrainedPageAuthzEditorPlugin] for a simple editor.340 [https://trac-hacks.org/wiki/FineGrainedPageAuthzEditorPlugin FineGrainedPageAuthzEditorPlugin] for a simple editor.