AuthzPolicy will fail silently if ConfigObj is not available

[Dirk Stöcker]

When python-configobj is not available, the AuthzPolicy fails without any notice (except a log entry). In the default config that means, that all pages are accessible and any restrictions are void. This is VERY dangerous.

Immediate Fix:

/usr/lib/python2.7/site-packages/tracopt/perm/authz_policy.py

@@ -139 +139 @@
 
     def check_permission(self, action, username, resource, perm):
         if ConfigObj is None:
-            self.log.error('configobj package not found')
-            return None
+            self.log.error('AuthzPolicy: configobj package not found')
+            return False # never silently fail!
 
         if self.authz_file and not self.authz_mtime or \
                 os.path.getmtime(self.get_authz_file()) > self.authz_mtime:

Also the setup.py should show clearly, that AuthzPolicy requires python-configobj to make the problem obvious.

[Ryan J Ollos]

Related:

• After #11272: if the authz file can't be found or can't be parsed, a ConfigurationError is raised.
• After #10285: If AuthzPolicy is added to [trac] permission_policies but the component is not enabled or fails to load, a ConfigurationError will be raised.

If [authz_policy] authz_file is not specified in trac.ini but AuthzPolicy is active, there is currently no error. We should probably raise a ConfigurationError in this case.