Opened 20 years ago
Closed 17 years ago
#834 closed enhancement (fixed)
Complete ACL management
| Reported by: | utopiste | Owned by: | Alec Thomas |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.11 |
| Component: | general | Version: | devel |
| Severity: | normal | Keywords: | permission |
| Cc: | fabien@…, mark@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
The Authz support inside trac do some work, we have some wiki not official patch, but we need a more robust ACL system.
Username or groups | Module | Item | Permission -------------------+---------+------------+-------------- utopiste | browser | /path/ | ReadWrite utopiste | report | 4 | Read utopiste | wiki | /secret | utopiste | wiki | /public | ReadWrite cmlenz | browser | /branches/ | ReadWrite authentified | ticket | | ReadWrite anonymous | | | ReadOnly anonymous | wiki | /public | ReadWrite
The AuthzPerm class will be moving to a ACL class and trac will provide import support to load the auth_mod_authz file inside the db. in the first we can provide a trac-admin interface, but for the 1.0 version a web management interface can be created.
Attachments (0)
Change History (14)
comment:1 by , 20 years ago
| Status: | new → assigned |
|---|
comment:2 by , 20 years ago
comment:3 by , 19 years ago
i expect to support both, currently the ini file parsing is not optimised when file are very large and the directory contain a lot of file. the second reason is that i want a universal fine grained permission class. this feature is for the next release, i expect some discussion in the next week.
comment:4 by , 19 years ago
Looks good, but it doesn't really make sense to have two different versions of permissions on browsing the repository. Why not cache it?
Parse the svn authz file and store it along with the last modified date in the database. If the permissions in that file are changed update the database again. Disable the ability to edit it directly in the database.
Or make a ini setting in trac to disable this, which would allow different access control through trac. Which only makes sense if the repository isn't directly accessable through webdav or svn.
comment:5 by , 19 years ago
Are you also considering access control based on the component of a new ticket or report? For example, limit the creating of tickets for a certain component to a group op people. From the table above I see limiting reports based on it's number.
Something along the lines of:
Username or groups | Module | Item | Permission -------------------+---------+------------------+-------------- authenticated | report | secretcomponent | authenticated | ticket | secretcomponent | utopiste | report | secretcomponent | read utopiste | ticket | secretcomponent | readwrite
comment:6 by , 19 years ago
| Milestone: | 0.9 |
|---|
As I see it, this is definitely not going to happen for 0.9.
comment:7 by , 19 years ago
| Severity: | major → enhancement |
|---|
comment:9 by , 19 years ago
| Cc: | added |
|---|
comment:10 by , 18 years ago
| Cc: | added |
|---|
comment:11 by , 18 years ago
| Milestone: | → 0.11 |
|---|---|
| Owner: | changed from to |
| Status: | assigned → new |
This should be supported as part of the PermissionPolicy work planned for 0.11. Alec: if you already have another ticket covering this it's probably safe to close this ticket.
comment:13 by , 17 years ago
| Keywords: | permission added; security removed |
|---|
comment:14 by , 17 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
TracDev/SecurityBranch merged in r5514. A sample plugin implementing authz based access control is included as an example.
But what's the point of storing the authz information in the db if subversion can't use it any longer?