Ticket #834 (closed enhancement: fixed)
Opened 7 years ago
Last modified 5 years ago
Complete ACL management
| Reported by: | utopiste | Owned by: | athomas |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.11 |
| Component: | general | Version: | devel |
| Severity: | normal | Keywords: | permission |
| Cc: | fabien@…, mark@… | ||
| Release Notes: | |||
| API Changes: | |||
Description
The Authz support inside trac do some work, we have some wiki not official patch, but we need a more robust ACL system.
Username or groups | Module | Item | Permission -------------------+---------+------------+-------------- utopiste | browser | /path/ | ReadWrite utopiste | report | 4 | Read utopiste | wiki | /secret | utopiste | wiki | /public | ReadWrite cmlenz | browser | /branches/ | ReadWrite authentified | ticket | | ReadWrite anonymous | | | ReadOnly anonymous | wiki | /public | ReadWrite
The AuthzPerm? class will be moving to a ACL class and trac will provide import support to load the auth_mod_authz file inside the db. in the first we can provide a trac-admin interface, but for the 1.0 version a web management interface can be created.
Attachments
Change History
comment:1 Changed 7 years ago by utopiste
- Status changed from new to assigned
comment:2 Changed 7 years ago by jonas
comment:3 Changed 7 years ago by anonymous
i expect to support both, currently the ini file parsing is not optimised when file are very large and the directory contain a lot of file. the second reason is that i want a universal fine grained permission class. this feature is for the next release, i expect some discussion in the next week.
comment:4 Changed 7 years ago by oohlaf @…
Looks good, but it doesn't really make sense to have two different versions of permissions on browsing the repository. Why not cache it?
Parse the svn authz file and store it along with the last modified date in the database. If the permissions in that file are changed update the database again. Disable the ability to edit it directly in the database.
Or make a ini setting in trac to disable this, which would allow different access control through trac. Which only makes sense if the repository isn't directly accessable through webdav or svn.
comment:5 Changed 7 years ago by oohlaf @…
Are you also considering access control based on the component of a new ticket or report? For example, limit the creating of tickets for a certain component to a group op people. From the table above I see limiting reports based on it's number.
Something along the lines of:
Username or groups | Module | Item | Permission -------------------+---------+------------------+-------------- authenticated | report | secretcomponent | authenticated | ticket | secretcomponent | utopiste | report | secretcomponent | read utopiste | ticket | secretcomponent | readwrite
comment:6 Changed 7 years ago by cmlenz
- Milestone 0.9 deleted
As I see it, this is definitely not going to happen for 0.9.
comment:7 Changed 7 years ago by cmlenz
- Severity changed from major to enhancement
comment:8 Changed 7 years ago by mgood
#1586 has been marked as a duplicate of this ticket.
comment:9 Changed 6 years ago by anonymous
- Cc fabien@… added
comment:10 Changed 6 years ago by anonymous
- Cc mark@… added
comment:11 Changed 5 years ago by mgood
- Milestone set to 0.11
- Owner changed from utopiste to alect
- Status changed from assigned to new
This should be supported as part of the PermissionPolicy work planned for 0.11. Alec: if you already have another ticket covering this it's probably safe to close this ticket.
comment:12 Changed 5 years ago by anonymous
- Owner changed from alect to athomas
(reassign owner to correct username)
comment:13 Changed 5 years ago by sid
- Keywords permission added; security removed
comment:14 Changed 5 years ago by athomas
- Resolution set to fixed
- Status changed from new to closed
TracDev/SecurityBranch merged in r5514. A sample plugin implementing authz based access control is included as an example.
But what's the point of storing the authz information in the db if subversion can't use it any longer?