#10203 new enhancement

[PATCH] AuthzPolicy to allow multiple user/group permissions

Reported by:	Brian Wasserman <brian-trac@…>	Owned by:
Priority:	normal	Milestone:	undecided
Component:	general	Version:
Severity:	normal	Keywords:	permission policies policy AuthzPolicy authzpolicy patch
Cc:	Thijs Triemstra	Branch:
Release Notes:
API Changes:
Internal Changes:

Description

The current implementation of AuthzPolicy does not support a user being a member of multiple groups that simultaneously define permissions either in the same section/path definition or via inheritance. This is because permission checks are only evaluated for the first matching rule with a matching user or group for which a user is a member. The authzpolicy.conf below currently evaluates to just WIKI_MODIFY for wiki:TestStuff* paths, which effectively denies WIKI_VIEW and WIKI_CREATE.

authzpolicy.conf

[groups]
wikiviewer = testuser1, testuser2
wikimodifier = testuser2
wikicreator = testuser2

[wiki:TestStuff*]
@wikimodifier = WIKI_MODIFY
@wikicreator = WIKI_CREATE

[wiki:*]
@wikiviewer = WIKI_VIEW

I am illustrating how the proposed enhancement will allow both users to view all wiki pages, yet testuser2 will be able to both create and modify wiki pages that match the path wiki:TestStuff*. Notice how WIKI_VIEW access is preserved/inherited via the wiki:* path while @wikimodifier and @wikicreator are effectively the union of both permission groups.

I am attaching a proposed patch that would effectively do what I am proposing. The gist is as follows:

Pass action to authz_permissions call so it can be action-aware.
Added anonymous to authenticated valid_users so authenticated users can inherit permissions from anonymous.
Only return permissions on match if it is explicitly granted or denied.

The only caveat is that you only should deny access to anonymous or authenticated and not use other groups as a way to negate permissions. For example, if anonymous has WIKI_VIEW on wiki:* then doesn't have a group @limiteduser remove WIKI_VIEW. Instead restrict access to anonymous and use a group @specialuser grant additional access.

Attachments (1)

authz_policy.patch (8.7 KB ) - added by Brian Wasserman <brian-trac@…> 13 years ago.: AuthzPolicy patch to allow users to be members of multiple groups and their accesses be a union of all permissions

Download all attachments as: .zip

Change History (4)

by Brian Wasserman <brian-trac@…>, 13 years ago

Attachment:	authz_policy.patch added

AuthzPolicy patch to allow users to be members of multiple groups and their accesses be a union of all permissions

comment:1 by Thijs Triemstra, 13 years ago

Cc:	Thijs Triemstra added
Component:	admin/console → general
Keywords:	patch added
Summary:	AuthzPolicy to allow multiple user/group permissions → [PATCH] AuthzPolicy to allow multiple user/group permissions

comment:2 by Christian Boos, 13 years ago

Keywords:	authzpolicy added; authz_policy removed

comment:3 by Christian Boos, 11 years ago

Milestone:	→ undecided

All the tickets for {20} from last year have probably been seen multiple times by now, yet are still to be triaged…

Modify Ticket

Change Properties

Summary:
Description:	The current implementation of [trac:browser/tags/trac-0.12.2/tracopt/perm/authz_policy.py AuthzPolicy] does not support a user being a member of multiple groups that simultaneously define permissions either in the same section/path definition or via inheritance. This is because permission checks are only evaluated for the first matching rule with a matching user or group for which a user is a member. The authzpolicy.conf below currently evaluates to just WIKI_MODIFY for !wiki:TestStuff* paths, which effectively denies WIKI_VIEW and WIKI_CREATE. ==== authzpolicy.conf ==== {{{ [groups] wikiviewer = testuser1, testuser2 wikimodifier = testuser2 wikicreator = testuser2 [wiki:TestStuff] @wikimodifier = WIKI_MODIFY @wikicreator = WIKI_CREATE [wiki:] @wikiviewer = WIKI_VIEW }}} I am illustrating how the proposed enhancement will allow both users to view all wiki pages, yet testuser2 will be able to both create and modify wiki pages that match the path !wiki:TestStuff. Notice how WIKI_VIEW access is preserved/inherited via the wiki: path while @wikimodifier and @wikicreator are effectively the union of both permission groups. I am attaching a proposed patch that would effectively do what I am proposing. The gist is as follows: 1. Pass ''action'' to authz_permissions call so it can be action-aware. 1. Added anonymous to authenticated valid_users so authenticated users can inherit permissions from anonymous. 1. Only return permissions on match if it is explicitly granted or denied. The only caveat is that you only should deny access to anonymous or authenticated and not use other groups as a way to negate permissions. For example, if anonymous has WIKI_VIEW on wiki:* then doesn't have a group @limiteduser remove WIKI_VIEW. Instead restrict access to anonymous and use a group @specialuser grant additional access. You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as new The ticket will remain with no owner.

unassign The ticket will be disowned.

resolve as The resolution will be set. Next status will be 'closed'.

assign The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Download in other formats:

Context Navigation