authz_policy receives 'None' as resource

[funsheep@…]

I'm running a trac 0.11.4 system on an apache2 server. I wanted to have the permissions checked by the AuthzPolicy. I have

• added the authz_policy field to the trac.ini and a correct path to an authz.conf file
• i have enabled the plugin (and for testing purposes disabled all other plugins)
• i have set permission_policies = AuthzPolicy
• authz_policy.py loaded from authz_policy.py - as stated on the website
• The trac installation is a fresh one, without editing anything. Trac was installed with easy_install
• The environment is also a fresh one
  • There is a global trac.ini defining the standard permission_policies among other things
  • And there is a environment specific trac.ini overwriting some of the definitions

My authz.conf looks like:

# vim: syntax=dosini

[groups]

administrator = me

developer = dev1, dev2, dev3

# Match everything else

[*]

@administrator = TRAC_ADMIN
anonymous = BLOG_VIEW, BROWSER_VIEW, CHANGESET_VIEW, FILE_VIEW, LOG_VIEW, MILESTONE_VIEW, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_VIEW, SEARCH_VIEW, TICKET_VIEW, TIMELINE_VIEW, WIKI_VIEW

authenticated =  POLL_VOTE, TICKET_APPEND, TICKET_CREATE
@developer =  BLOG_CREATE, BLOG_MODIFY_OWN, WIKI_CREATE, WIKI_DELETE, WIKI_MODIFY, XML_RPC

After reloading the apache i'm not able to see anything but the wiki (blog plugin is disabled).

After checking the log, i found this entry

2009-07-03 12:50:00,462 Trac[authz_policy] DEBUG: Checking REPORT_VIEW on 

I then added some more debug-lines to the .py file and found this

        self.log.debug('Checking %s on %s (unnormalized)', action, resource)

gives

2009-07-03 12:50:00,461 Trac[authz_policy] DEBUG: Checking SEARCH_VIEW on None (unnormalized)

And fnmatch between '' and '*@*' (resource_glob) in line 216​ returns false.

Some of the permission checks work (therefore i know that the setup is ok). From the log

2009-07-03 12:50:00,458 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on <Resource 'wiki'> (unnormalized)
2009-07-03 12:50:00,458 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on wiki:*@*
2009-07-03 12:50:00,459 Trac[authz_policy] DEBUG: Resource glob *@*
2009-07-03 12:50:00,459 Trac[authz_policy] DEBUG: fnmatch gives: True
2009-07-03 12:50:00,459 Trac[authz_policy] DEBUG: wiki:*@* matched section *@* for user funsheep

[cboos]

Normally checking against "None" means "is the permission granted in general", so this shouldn't be problematic.

What happens if you add the TICKET_VIEW in the permissions?

[anonymous]

anonymous does already have the TICKET_VIEW permission (according to the policy file).

To me it seems that the authz_policy.py does not correctly handle the case of the 'None' resource.

[anonymous]

I have now verified that this problem also exists with trac v0.11.5. (Just installed it).

[cboos]

Works for me now. Probably r8786 also helped here, as anonymous is also listed before authenticated in the provided authzpolicy.conf.

No issue with None seen either.

[admin@…]

I've just encountered this problem on trac 0.11.6 RC1 my authz.conf file contained simply the following

[*]
* = TRAC_ADMIN

Which should grant everyone TRAC_ADMIN

It threw up the following errors

2009-11-24 11:31:20,917 Trac[authz_policy] DEBUG: Checking TICKET_CREATE on 
2009-11-24 11:31:20,917 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_CREATE on None

(That's just a sample the log was pretty long)

The problem seems to be because the resource_ket in authz_policy.py is an empty string so doesn't match anything in authz.conf file.

I added the following to the file under authz_permissions

        if resource_key == '':
        	resource_key = '*@*'
        	self.env.log.debug('Empty resource_key')

[admin@…]

patch for empty resource

[admin@…]

I've attached a patch for the file.

[rblank]

OT: Weird, the patch above seems to be rendered with Enscript in the preview...

[cboos]

Replying to rblank:

OT: Weird, the patch above seems to be rendered with Enscript in the preview...

It's not an unified diff, but a context diff.

I'll verify the issue.

[rblank]

Fix key for empty resources.

[rblank]

The patch above has the same effect, but feels slightly less hackish. OTOH, looking at auth_policy.py, I feel there is much to be improved there, both in terms of correctness and performance.

Review appreciated.

[cboos]

Patch looks good (but the second chunk is not needed, is it?)

[rblank]

Replying to cboos:

(but the second chunk is not needed, is it?)

It's not needed to solve this issue, but I feel it reads better. Also, it avoids creating two lists in the "authenticated" case.

[cboos]

Replying to rblank:

Also, it avoids creating two lists in the "authenticated" case.

Ah yes, my criterion so far has been to avoid one unnecessary line, but this sure beats it ;-)

[rblank]

Patch applied in [9345].