Edgewall Software

Changes between Version 1 and Version 2 of TracDev/PluginDevelopment/ExtensionPoints/trac.perm.IPermissionPolicy


Ignore:
Timestamp:
Jun 3, 2011, 2:07:23 PM (13 years ago)
Author:
Peter Suter
Comment:

added examples

Legend:

Unmodified
Added
Removed
Modified

  • TracDev/PluginDevelopment/ExtensionPoints/trac.perm.IPermissionPolicy

    v1 v2  
    1616Only the ''permission_policies'' configured in [wiki:TracIni#trac-section trac.ini] will be used (in that order).
    1717
     18The policy is called for each action on a resource by a user. It can explicitly allow or deny that action, or abstain to defer the check to the next policy in the chain. (Note: It is first also called without a specific resource for a coarse realm permission check. See API Reference for details.)
     19
    1820== Examples ==
    1921
    2022See [#DebugPolicy], [#PublicWikiPolicy], [#SecurityTicketsPolicy]
     23
     24 * [http://thread.gmane.org/gmane.comp.version-control.subversion.trac.devel/393/focus=401 Mailing list post] with an example IPermissionPolicy implementation that blocks access to ticket 666. Here an updated version:
     25{{{
     26#!python
     27from trac.core import *
     28from trac.perm import IPermissionPolicy
     29
     30class Deny666(Component):
     31    implements(IPermissionPolicy)
     32
     33    def check_permission(self, action, username, resource, perm):
     34        if resource is not None and resource.realm == 'ticket' and \
     35                resource.id == 666:
     36            self.log.info("This is the Devil's work")
     37            return False
     38}}}
     39
     40 * Another [http://thread.gmane.org/gmane.comp.version-control.subversion.trac.devel/393/focus=402 mailing list post] with an example IPermissionPolicy implementation based on [h:TagsPlugin]. (Adding a tag 'john:view' on a wiki page or ticket would allow the user 'john' to WIKI_VIEW or TICKET_VIEW that resource. Adding a tag 'john:-view' would disallow it.) Here an updated version:
     41{{{
     42#!python
     43from trac.core import *
     44from trac.perm import IPermissionPolicy
     45
     46class TagPolicy(Component):
     47    """ Security policy based on tags. """
     48    implements(IPermissionPolicy)
     49
     50     def check_permission(self, action, username, resource, perm):
     51        if resource is None: return None
     52
     53        if action.startswith('WIKI_') or action.startswith('TICKET_'):
     54            from tractags.api import TagSystem
     55           
     56            class FakeRequest(object):
     57                def __init__(self, perm):
     58                    self.perm = perm
     59
     60            req = FakeRequest(perm)
     61            tags = TagSystem().get_tags(req, resource)
     62
     63            permission = action.lower().split('_')[1]
     64            ptag = ':'.join((username, permission))
     65            if ptag in tags:
     66                return True
     67
     68            nptag = ':-'.join((username, permission))
     69            if nptag in tags:
     70                return False
     71}}}
    2172
    2273== Available Implementations ==