Changes between Version 59 and Version 60 of TracFineGrainedPermissions
- Timestamp:
- Nov 20, 2014, 5:55:21 PM (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TracFineGrainedPermissions
v59 v60 5 5 There's a general mechanism in place that allows custom **permission policy plugins** to grant or deny any action on any kind of Trac resources, even at the level of specific versions of such resources. 6 6 7 Note that for Trac 0.12, `authz_policy` has been integrated as an optional module (in `tracopt.perm.authz_policy.*`), so it's installed by default and can simply be activated via the //Plugins// panel in the Trac administration module.7 That mechanism is `authz_policy`, which is an optional module (in `tracopt.perm.authz_policy.*`), so it's installed by default and can simply be activated via the //Plugins// panel in the Trac administration module. 8 8 9 9 … … 14 14 Which policies are currently active is determined by a configuration setting in TracIni: 15 15 e.g. 16 {{{ 16 {{{#!ini 17 17 [trac] 18 18 permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy … … 21 21 22 22 Among the possible optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See 23 [trac:source:branches/ 0.12-stable/tracopt/perm/authz_policy.py authz_policy.py] for details.23 [trac:source:branches/1.0-stable/tracopt/perm/authz_policy.py authz_policy.py] for details. 24 24 25 25 Another popular permission policy [#AuthzSourcePolicy], re-implements the pre-0.12 support for checking fine-grained permissions limited to Subversion repositories in terms of the new system. 26 26 27 See also [trac:source:branches/ 0.12-stable/sample-plugins/permissions sample-plugins/permissions] for more examples.27 See also [trac:source:branches/1.0-stable/sample-plugins/permissions sample-plugins/permissions] for more examples. 28 28 29 29 30 30 === !AuthzPolicy === 31 31 ==== Configuration ==== 32 * Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (still needed for 0.12 and later). 33 * Copy [trac:browser:/trunk/tracopt/perm/authz_policy.py /tracopt/perm/authz_policy.py] to your environment's plugins directory (only for Trac 0.11). 32 * Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj]. 34 33 * Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the file contains non-ASCII characters, the UTF-8 encoding should be used. 35 34 * Update your `trac.ini`: 36 35 1. modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section 37 {{{ 36 {{{#!ini 38 37 [trac] 39 38 ... … … 41 40 }}} 42 41 1. add a new `[authz_policy]` section 43 {{{ 42 {{{#!ini 44 43 [authz_policy] 45 44 authz_file = /some/trac/env/conf/authzpolicy.conf 46 45 }}} 47 46 1. enable the plugin through [/admin/general/plugin WebAdmin] or by editing the `[components]` section 48 {{{ 47 {{{#!ini 49 48 [components] 50 49 ... 51 50 # Trac 0.12 52 51 tracopt.perm.authz_policy.* = enabled 53 # for Trac 0.11 use this54 #authz_policy.* = enabled55 52 }}} 56 53 … … 67 64 68 65 The `authzpolicy.conf` file is a `.ini` style configuration file: 69 {{{ 66 {{{#!ini 70 67 [wiki:PrivatePage@*] 71 68 john = WIKI_VIEW, !WIKI_MODIFY … … 83 80 84 81 Example: Match the WikiStart page 85 {{{ 82 {{{#!ini 86 83 [wiki:*] 87 84 [wiki:WikiStart*] … … 92 89 Example: Match the attachment `wiki:WikiStart@117/attachment:FOO.JPG@*` 93 90 on WikiStart 94 {{{ 91 {{{#!ini 95 92 [wiki:*] 96 93 [wiki:WikiStart*] … … 112 109 113 110 For example, if the `authz_file` contains: 114 {{{ 111 {{{#!ini 115 112 [wiki:WikiStart@*] 116 113 * = WIKI_VIEW … … 133 130 134 131 Groups: 135 {{{ 132 {{{#!ini 136 133 [groups] 137 134 admins = john, jack … … 154 151 155 152 Some repository examples (Browse Source specific): 156 {{{ 153 {{{#!ini 157 154 # A single repository: 158 155 [repository:test_repo@*] … … 172 169 173 170 Very fine grain repository access: 174 {{{ 171 {{{#!ini 175 172 # John has BROWSER_VIEW and FILE_VIEW access to trunk/src/some/location/ only 176 173 [repository:test_repo@*/source:trunk/src/some/location/*@*] … … 200 197 201 198 You cannot do the following: 202 {{{ 199 {{{#!ini 203 200 [groups] 204 201 team1 = a, b, c … … 209 206 210 207 Permission groups are not supported either. You cannot do the following: 211 {{{ 208 {{{#!ini 212 209 [groups] 213 210 permission_level_1 = WIKI_VIEW, TICKET_VIEW … … 227 224 228 225 Example: 229 {{{ 226 {{{#!ini 230 227 [/] 231 228 * = r … … 247 244 To activate fine grained permissions you __must__ specify the {{{authz_file}}} option in the {{{[trac]}}} section of trac.ini. If this option is set to null or not specified the permissions will not be used. 248 245 249 {{{ 246 {{{#!ini 250 247 [trac] 251 248 authz_file = /path/to/svnaccessfile … … 254 251 If you want to support the use of the `[`''modulename''`:/`''some''`/`''path''`]` syntax within the `authz_file`, add 255 252 256 {{{ 253 {{{#!ini 257 254 authz_module_name = modulename 258 255 }}} … … 260 257 where ''modulename'' refers to the same repository indicated by the `repository_dir` entry in the `[trac]` section. As an example, if the `repository_dir` entry in the `[trac]` section is {{{/srv/active/svn/blahblah}}}, that would yield the following: 261 258 262 {{{ 259 {{{ #!ini 263 260 [trac] 264 261 authz_file = /path/to/svnaccessfile … … 274 271 As of version 0.12, make sure you have ''!AuthzSourcePolicy'' included in the permission_policies list in trac.ini, otherwise the authz permissions file will be ignored. 275 272 276 {{{ 273 {{{#!ini 277 274 [trac] 278 275 permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy … … 282 279 283 280 The same access file is typically applied to the corresponding Subversion repository using an Apache directive like this: 284 {{{ 281 {{{#!apache 285 282 <Location /repos> 286 283 DAV svn … … 296 293 == Debugging permissions 297 294 In trac.ini set: 298 {{{ 295 {{{#!ini 299 296 [logging] 300 297 log_file = trac.log … … 304 301 305 302 And watch: 306 {{{ 303 {{{#!sh 307 304 tail -n 0 -f log/trac.log | egrep '\[perm\]|\[authz_policy\]' 308 305 }}}