Edgewall Software

Changes between Version 45 and Version 46 of TracFineGrainedPermissions


Ignore:
Timestamp:
Oct 10, 2013, 3:11:02 AM (11 years ago)
Author:
Ryan J Ollos
Comment:

Added section on ReadonlyWikiPolicy. Refs #11244.

Legend:

Unmodified
Added
Removed
Modified

  • TracFineGrainedPermissions

    v45 v46  
    290290For information about how to restrict access to entire projects in a multiple project environment see [trac:wiki:TracMultipleProjectsSVNAccess]
    291291
     292=== ReadonlyWikiPolicy
     293
     294Since 1.1.2, the read-only attribute of wiki pages is enabled and enforced when `ReadonlyWikiPolicy` is in the list of active permission policies. The default for new Trac installations in 1.1.2 and later is:
     295{{{
     296[trac]
     297permission_policies = ReadonlyWikiPolicy,
     298 DefaultPermissionPolicy,
     299 LegacyAttachmentPolicy
     300}}}
     301
     302When upgrading from earlier versions of Trac, `ReadonlyWikiPolicy` needs to be manually added to the list.
     303
     304The `ReadonlyWikiPolicy` returns `False` to deny modify, delete and rename actions on wiki pages when the page has the read-only attribute set and the user does not have `WIKI_ADMIN`, regardless of whether the user has `WIKI_MODIFY`, `WIKI_DELETE` and `WIKI_RENAME` permissions. It returns `None` for all other cases. When active, the `AuthzPolicy` should therefore come before `ReadonlyWikiPolicy`, allowing it to grant or deny the actions on individual resources, which is the usual ordering for `AuthzPolicy` in the `permission_policies` list. `ReadonlyWikiPolicy` must come before `DefaultPermissionPolicy` since the latter will return `True` for the respective actions when the user has `WIKI_MODIFY`, `WIKI_DELETE` or `WIKI_RENAME`, without consideration for the read-only attribute. The placement of `AuthzSourcePolicy` relative to `ReadonlyWikiPolicy` does not matter since they don't perform checks on the same realms.
     305
     306{{{
     307[trac]
     308permission_policies = AuthzPolicy,
     309 ReadonlyWikiPolicy,
     310 DefaultPermissionPolicy,
     311 LegacyAttachmentPolicy
     312}}}
     313
     314For all other permission policies, the user will need to decide the proper ordering. Generally, if the permission policy should be capable of overriding the check performed by `ReadonlyWikiPolicy`, it should come before `ReadonlyWikiPolicy` in the list. If the `ReadonlyWikiPolicy` should override the check performed by another permission policy, as is the case for `DefaultPermissionPolicy`, then `ReadonlyWikiPolicy` should come first.
     315
    292316== Debugging permissions
    293317In trac.ini set:
     
    306330to understand what checks are being performed. See the sourced documentation of the plugin for more info.
    307331
    308 
    309332----
    310333See also: TracPermissions,