Context Navigation

Back to Ticket #9566

Ticket #9566: 9566-scoped-repos-r10006.patch

File 9566-scoped-repos-r10006.patch, 13.8 KB (added by rblank, 22 months ago)
Support for scoped repositories.

trac/versioncontrol/svn_authz.py

diff --git a/trac/versioncontrol/svn_authz.py b/trac/versioncontrol/svn_authz.py

-                      a
         path = path[:idx + 1]
+def join(*args):
+    args = (arg.strip('/') for arg in args)
+    return '/'.join(arg for arg in args if arg)
 class ParseError(Exception):
     """Exception thrown for parse errors in authz files"""
 …
     authz_module_name = Option('trac', 'authz_module_name', '',
         """The module prefix used in the `authz_file` for the default
         repository. If left empty, the global sections will be used.
+        repository. If left empty, the global section is used.
         """)
     _mtime = 0
     _authz = {}
     _users = set()
+    _handled_perms = frozenset([('source', 'BROWSER_VIEW'),
+                                ('source', 'FILE_VIEW'),
+                                ('source', 'LOG_VIEW'),
+                                ('changeset', 'CHANGESET_VIEW')])
     # IPermissionPolicy methods
     def check_permission(self, action, username, resource, perm):
+        if username == 'anonymous':
+            usernames = ('$anonymous', '*')
+        else:
+            usernames = (username, '$authenticated', '*')
+        if action in ('BROWSER_VIEW', 'FILE_VIEW', 'LOG_VIEW'):
+        if (resource.realm, action) in self._handled_perms:
             authz, users = self._get_authz_info()
             if authz is None:
                 return False
+            if username == 'anonymous':
+                usernames = ('$anonymous', '*')
+            else:
+                usernames = (username, '$authenticated', '*')
             if resource is None:
                 return bool(users & set(usernames))
+            if resource.realm == 'source':
+                modules = [resource.parent.id or self.authz_module_name]
+                if modules[0]:
+                    modules.append('')
+                path = '/' + resource.id.strip('/')
+            rm = RepositoryManager(self.env)
+            repos = rm.get_repository(resource.parent.id)
+            scope = getattr(repos, 'scope', '')
+            modules = [resource.parent.id or self.authz_module_name]
+            if modules[0]:
+                modules.append('')
+            def check_path(path):
+                path = '/' + join(scope, path)
                 if path != '/':
                     path += '/'
 …
                        if spath.startswith(path)
                        for user in usernames):
                     return True
+            if resource.realm == 'source':
+                return check_path(resource.id)
+        elif action == 'CHANGESET_VIEW':
+            authz, users = self._get_authz_info()
+            if authz is None:
+                return False
+            if resource is None:
+                return bool(users & set(usernames))
+            if resource.realm == 'changeset':
+                rm = RepositoryManager(self.env)
+                repos = rm.get_repository(resource.parent.id)
+            elif resource.realm == 'changeset':
                 changes = list(repos.get_changeset(resource.id).get_changes())
+                if not changes:
+                if not changes or any(check_path(change[0])
+                                      for change in changes):
                     return True
-                source = Resource('source', version=resource.id,
-                                  parent=resource.parent)
-                return any('FILE_VIEW' in perm(source(id=change[0]))
-                           for change in changes)
     def _get_authz_info(self):
         try:

trac/versioncontrol/tests/svn_authz.py

diff --git a/trac/versioncontrol/tests/svn_authz.py b/trac/versioncontrol/tests/svn_authz.py

-                      a
 import unittest
 from trac.resource import Resource
 from trac.test import EnvironmentStub
+from trac.test import EnvironmentStub, Mock
 from trac.util import create_file
+from trac.versioncontrol.api import RepositoryManager
 from trac.versioncontrol.svn_authz import AuthzSourcePolicy, ParseError, \
                                           parse
 …
 &jekyll = r
 [/aliases_b]
 @alias2 = r
+# Scoped repository
+[scoped:/scope/dir1]
+joe = r
+[scoped:/scope/dir2]
+jane = r
 """)
         self.env = EnvironmentStub(enable=[AuthzSourcePolicy])
         self.env.config.set('trac', 'authz_file', self.authz)
         self.policy = AuthzSourcePolicy(self.env)
+        # Monkey-subclass RepositoryManager to serve mock repositories
+        rm = RepositoryManager(self.env)
+        class TestRepositoryManager(rm.__class__):
+            def get_repository(self, reponame):
+                if reponame == 'scoped':
+                    def get_changeset(rev):
+                        if rev == 123:
+                            def get_changes():
+                                yield ('/dir1/file',)
+                        elif rev == 456:
+                            def get_changes():
+                                yield ('/dir2/file',)
+                        else:
+                            def get_changes():
+                                return iter([])
+                        return Mock(get_changes=get_changes)
+                    return Mock(scope='/scope',
+                                get_changeset=get_changeset)
+                return Mock()
+        rm.__class__ = TestRepositoryManager
     def tearDown(self):
         self.env.reset_db()
         os.remove(self.authz)
     def assertPermission(self, result, user, reponame, path):
+    def assertPathPerm(self, result, user, reponame, path):
         """Assert that `user` is granted access `result` to `path` within
         the repository `reponame`.
         """
 …
             check = self.policy.check_permission(perm, user, resource, None)
             self.assertEqual(result, check)
+    def assertRevPerm(self, result, user, reponame, rev):
+        """Assert that `user` is granted access `result` to `rev` within
+        the repository `reponame`.
+        """
+        resource = Resource('changeset', rev,
+                            parent=Resource('repository', reponame))
+        check = self.policy.check_permission('CHANGESET_VIEW', user, resource,
+                                             None)
+        self.assertEqual(result, check)
     def test_default_permission(self):
         # By default, permissions are undecided
         self.assertPermission(None, 'joe', '', '/not_defined')
         self.assertPermission(None, 'jane', 'repo', '/not/defined/either')
+        self.assertPathPerm(None, 'joe', '', '/not_defined')
+        self.assertPathPerm(None, 'jane', 'repo', '/not/defined/either')
     def test_read_write(self):
         # Allow 'r' and 'rw' entries, deny 'w' and empty entries
         self.assertPermission(True, 'user', '', '/readonly')
         self.assertPermission(True, 'user', '', '/readwrite')
         self.assertPermission(False, 'user', '', '/writeonly')
         self.assertPermission(False, 'user', '', '/empty')
+        self.assertPathPerm(True, 'user', '', '/readonly')
+        self.assertPathPerm(True, 'user', '', '/readwrite')
+        self.assertPathPerm(False, 'user', '', '/writeonly')
+        self.assertPathPerm(False, 'user', '', '/empty')
     def test_trailing_slashes(self):
         # Combinations of trailing slashes in the file and in the path
         self.assertPermission(True, 'user', '', '/trailing_a')
         self.assertPermission(True, 'user', '', '/trailing_a/')
         self.assertPermission(True, 'user', '', '/trailing_b')
         self.assertPermission(True, 'user', '', '/trailing_b/')
+        self.assertPathPerm(True, 'user', '', '/trailing_a')
+        self.assertPathPerm(True, 'user', '', '/trailing_a/')
+        self.assertPathPerm(True, 'user', '', '/trailing_b')
+        self.assertPathPerm(True, 'user', '', '/trailing_b/')
     def test_sub_path(self):
         # Permissions are inherited from containing directories
         self.assertPermission(True, 'user', '', '/sub/path')
         self.assertPermission(True, 'user', '', '/sub/path/test')
         self.assertPermission(True, 'user', '', '/sub/path/other/sub')
+        self.assertPathPerm(True, 'user', '', '/sub/path')
+        self.assertPathPerm(True, 'user', '', '/sub/path/test')
+        self.assertPathPerm(True, 'user', '', '/sub/path/other/sub')
     def test_module_usage(self):
         # If a module name is specified, the rules are specific to the module
         self.assertPermission(True, 'user', 'module', '/module_a')
         self.assertPermission(None, 'user', 'module', '/module_b')
+        self.assertPathPerm(True, 'user', 'module', '/module_a')
+        self.assertPathPerm(None, 'user', 'module', '/module_b')
         # If a module is specified, but the configuration contains a non-module
         # path, the non-module path can still apply
         self.assertPermission(True, 'user', 'module', '/module_c')
+        self.assertPathPerm(True, 'user', 'module', '/module_c')
         # The module-specific rule takes precedence
         self.assertPermission(False, 'user', 'module', '/module_d')
+        self.assertPathPerm(False, 'user', 'module', '/module_d')
     def test_wildcard(self):
         # The * wildcard matches all users, including anonymous
         self.assertPermission(True, 'anonymous', '', '/wildcard')
         self.assertPermission(True, 'joe', '', '/wildcard')
         self.assertPermission(True, 'jane', '', '/wildcard')
+        self.assertPathPerm(True, 'anonymous', '', '/wildcard')
+        self.assertPathPerm(True, 'joe', '', '/wildcard')
+        self.assertPathPerm(True, 'jane', '', '/wildcard')
     def test_special_tokens(self):
         # The $anonymous token matches only anonymous users
         self.assertPermission(True, 'anonymous', '', '/special/anonymous')
         self.assertPermission(None, 'user', '', '/special/anonymous')
+        self.assertPathPerm(True, 'anonymous', '', '/special/anonymous')
+        self.assertPathPerm(None, 'user', '', '/special/anonymous')
         # The $authenticated token matches all authenticated users
         self.assertPermission(None, 'anonymous', '', '/special/authenticated')
         self.assertPermission(True, 'joe', '', '/special/authenticated')
         self.assertPermission(True, 'jane', '', '/special/authenticated')
+        self.assertPathPerm(None, 'anonymous', '', '/special/authenticated')
+        self.assertPathPerm(True, 'joe', '', '/special/authenticated')
+        self.assertPathPerm(True, 'jane', '', '/special/authenticated')
     def test_groups(self):
         # Groups are specified in a separate section and used with an @ prefix
         self.assertPermission(True, 'user', '', '/groups_a')
+        self.assertPathPerm(True, 'user', '', '/groups_a')
         # Groups can also be members of other groups
         self.assertPermission(True, 'user', '', '/groups_b')
+        self.assertPathPerm(True, 'user', '', '/groups_b')
         # Groups should not be defined cyclically, but they are still handled
         # correctly to avoid infinite loops
         self.assertPermission(True, 'user', '', '/cyclic')
+        self.assertPathPerm(True, 'user', '', '/cyclic')
     def test_precedence(self):
         # Module-specific sections take precedence over non-module sections
         self.assertPermission(False, 'user', 'module', '/precedence_a')
+        self.assertPathPerm(False, 'user', 'module', '/precedence_a')
         # The most specific section applies
         self.assertPermission(True, 'user', '', '/precedence_b/sub/test')
         self.assertPermission(False, 'user', '', '/precedence_b/sub')
         self.assertPermission(True, 'user', '', '/precedence_b')
+        self.assertPathPerm(True, 'user', '', '/precedence_b/sub/test')
+        self.assertPathPerm(False, 'user', '', '/precedence_b/sub')
+        self.assertPathPerm(True, 'user', '', '/precedence_b')
         # Within a section, the first matching rule applies
         self.assertPermission(False, 'user', '', '/precedence_c')
         self.assertPermission(True, 'user', '', '/precedence_d')
+        self.assertPathPerm(False, 'user', '', '/precedence_c')
+        self.assertPathPerm(True, 'user', '', '/precedence_d')
     def test_aliases(self):
         # Aliases are specified in a separate section and used with an & prefix
         self.assertPermission(True, 'Mr Hyde', '', '/aliases_a')
+        self.assertPathPerm(True, 'Mr Hyde', '', '/aliases_a')
         # Aliases can also be used in groups
+        self.assertPermission(True, 'Mr Hyde', '', '/aliases_b')
+        self.assertPathPerm(True, 'Mr Hyde', '', '/aliases_b')
+    def test_scoped_repository(self):
+        # Take repository scope into account
+        self.assertPathPerm(True, 'joe', 'scoped', '/dir1')
+        self.assertPathPerm(None, 'joe', 'scoped', '/dir2')
+        self.assertPathPerm(True, 'joe', 'scoped', '/')
+        self.assertPathPerm(None, 'jane', 'scoped', '/dir1')
+        self.assertPathPerm(True, 'jane', 'scoped', '/dir2')
+        self.assertPathPerm(True, 'jane', 'scoped', '/')
+    def test_changesets(self):
+        # Changesets are allowed if at least one changed path is allowed, or
+        # if the changeset is empty
+        self.assertRevPerm(True, 'joe', 'scoped', 123)
+        self.assertRevPerm(None, 'joe', 'scoped', 456)
+        self.assertRevPerm(True, 'joe', 'scoped', 789)
+        self.assertRevPerm(None, 'jane', 'scoped', 123)
+        self.assertRevPerm(True, 'jane', 'scoped', 456)
+        self.assertRevPerm(True, 'jane', 'scoped', 789)
+        self.assertRevPerm(None, 'user', 'scoped', 123)
+        self.assertRevPerm(None, 'user', 'scoped', 456)
+        self.assertRevPerm(True, 'user', 'scoped', 789)
 def suite():

Download in other formats:

Original Format