Opened 11 years ago
Last modified 10 years ago
#11293 closed defect
AuthzPolicy will fail silently if ConfigObj is not available — at Version 2
Reported by: | Dirk Stöcker | Owned by: | Ryan J Ollos |
---|---|---|---|
Priority: | highest | Milestone: | 1.0.2 |
Component: | general | Version: | 1.0-stable |
Severity: | normal | Keywords: | authzpolicy, permissions, exception |
Cc: | Jun Omae | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description (last modified by )
When python-configobj is not available, the AuthzPolicy fails without any notice (except a log entry). In the default config that means, that all pages are accessible and any restrictions are void. This is VERY dangerous.
Immediate Fix:
-
/usr/lib/python2.7/site-packages/tracopt/perm/authz_policy.py
old new 139 139 140 140 def check_permission(self, action, username, resource, perm): 141 141 if ConfigObj is None: 142 self.log.error(' configobj package not found')143 return None142 self.log.error('AuthzPolicy: configobj package not found') 143 return False # never silently fail! 144 144 145 145 if self.authz_file and not self.authz_mtime or \ 146 146 os.path.getmtime(self.get_authz_file()) > self.authz_mtime:
Also the setup.py should show clearly, that AuthzPolicy requires python-configobj to make the problem obvious.
Change History (2)
comment:1 by , 11 years ago
Description: | modified (diff) |
---|
comment:2 by , 11 years ago
Description: | modified (diff) |
---|---|
Keywords: | authzpolicy permissions added |
Milestone: | → 1.0.2 |
Owner: | set to |
Status: | new → assigned |
Summary: | AuthzPolicy fails SILENTLY! → AuthzPolicy will fail silently if ConfigObj is not available |
Note:
See TracTickets
for help on using tickets.
Related:
ConfigurationError
is raised.AuthzPolicy
is added to[trac] permission_policies
but the component is not enabled or fails to load, aConfigurationError
will be raised.If
[authz_policy] authz_file
is not specified in trac.ini butAuthzPolicy
is active, there is currently no error. We should probably raise aConfigurationError
in this case.