Edgewall Software
Modify

Opened 18 years ago

Closed 18 years ago

Last modified 18 years ago

#3525 closed defect (wontfix)

Project index should check permissions

Reported by: christian@… Owned by: Christopher Lenz
Priority: normal Milestone:
Component: general Version: 0.9.6
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

The project index generates a list of available projects by searching for subdirectories that happen to be valid trac environments. It simply tries to open those environments and (if that worked flawlessly) adds them to the list of projects.

see line 301 ff.

It should however check if the current user actually has any permissions for the project before adding it to the list. A user needs at least WIKI_VIEW to view the project start page.

I'll prepare a patch to see if this works, but in the meantime I'd like to propose this as a feature request.

Attachments (0)

Change History (3)

comment:1 by Christopher Lenz, 18 years ago

Component: mod_python frontendgeneral
Resolution: wontfix
Status: newclosed

First, we cannot assume that WIKI_VIEW is required to view a project. A project may have the wiki disabled, and the default handler set to the timeline, for example. So you'd probably have to check if the user has any permission on a project.

Second, in a “normal” Trac setup, authentication information is not available on the project index page. The only way to make it available would be to require authentication on the project index page itself, because the auth cookies are restricted to the individual project paths. Furthermore, the IAuthenticator system that determines how a username is detected is configured per project, so you'd probably need to jump through some hoops to make it work on the project index page.

All in all, I think this should wait for proper multi-project support, where we'll have a “global login”.

comment:2 by andy@…, 18 years ago

christian,

If you are still wanting to work on this I would be happy to include it in my multi-project wrapper TraM. There the project index is at "…/all/projects" so we can utilize the authentication cookie for the "all" project.

Post a bug etc over on dev.rectang.com if you are interested etc ;)

Andy

comment:3 by christian@…, 18 years ago

Christopher, as I wrote in my original request: It needs to check if the user (if any) actually has any permissions on the project in question. No logged in user would mean that "anonymous" needs to have any permissions. Of course you're right, the wiki start page just happens to be the first page by default, it could change eventually…

Talking about the login: Instead of configuring multiple …/login URLs, I simply protected the virtual host as a whole (since this is exactly what I need here). trac happily accepts this information, no need to click on "login", the user information is "just there". Why shouldn't it be possible to take the REMOTE_USER on the projects list page and see if he's got any permissions with those projects under TracEnvParentDir?

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Christopher Lenz.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christopher Lenz to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.