[PATCH] AuthzPolicy to allow multiple user/group permissions

[Brian Wasserman <brian-trac@…>]

The current implementation of AuthzPolicy does not support a user being a member of multiple groups that simultaneously define permissions either in the same section/path definition or via inheritance. This is because permission checks are only evaluated for the first matching rule with a matching user or group for which a user is a member. The authzpolicy.conf below currently evaluates to just WIKI_MODIFY for wiki:TestStuff* paths, which effectively denies WIKI_VIEW and WIKI_CREATE.

authzpolicy.conf

[groups]
wikiviewer = testuser1, testuser2
wikimodifier = testuser2
wikicreator = testuser2

[wiki:TestStuff*]
@wikimodifier = WIKI_MODIFY
@wikicreator = WIKI_CREATE

[wiki:*]
@wikiviewer = WIKI_VIEW

I am illustrating how the proposed enhancement will allow both users to view all wiki pages, yet testuser2 will be able to both create and modify wiki pages that match the path wiki:TestStuff*. Notice how WIKI_VIEW access is preserved/inherited via the wiki:* path while @wikimodifier and @wikicreator are effectively the union of both permission groups.

I am attaching a proposed patch that would effectively do what I am proposing. The gist is as follows:

1. Pass action to authz_permissions call so it can be action-aware.
2. Added anonymous to authenticated valid_users so authenticated users can inherit permissions from anonymous.
3. Only return permissions on match if it is explicitly granted or denied.

The only caveat is that you only should deny access to anonymous or authenticated and not use other groups as a way to negate permissions. For example, if anonymous has WIKI_VIEW on wiki:* then doesn't have a group @limiteduser remove WIKI_VIEW. Instead restrict access to anonymous and use a group @specialuser grant additional access.

[Brian Wasserman <brian-trac@…>]

AuthzPolicy patch to allow users to be members of multiple groups and their accesses be a union of all permissions