Changes between Version 63 and Version 64 of TracFineGrainedPermissions
- Timestamp:
- Mar 18, 2017, 6:21:38 PM (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TracFineGrainedPermissions
v63 v64 3 3 [[TracGuideToc]] 4 4 5 There is a general mechanism in place that allows custom **permission polic y plugins** to grant or deny any action on any kind of Trac resource, even at the level of specific versions of such resources.5 There is a general mechanism in place that allows custom **permission policies** to grant or deny any action on any Trac resource, or even specific versions of a resource. 6 6 7 7 That mechanism is `authz_policy`, which is an optional module in `tracopt.perm.authz_policy.*`, so it is installed by default. It can be activated via the //Plugins// panel in the Trac administration module. … … 11 11 A great diversity of permission policies can be implemented and Trac comes with a few examples. 12 12 13 Which policies are currently active is determined by a configuration setting in TracIni:13 The active policies are determined by a [TracIni#trac-permission_policies-option configuration setting]: 14 14 15 15 {{{#!ini … … 17 17 permission_policies = ReadonlyWikiPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy 18 18 }}} 19 This lists the [#ReadonlyWikiPolicy] which controls readonly access to wiki pages, followed by the !DefaultPermissionPolicy which checks for the traditional coarse grained style permissions described in TracPermissions, and the !LegacyAttachmentPolicy which knows how to use the coarse grained permissions for checking the permissions available on attachments. 19 20 * [#ReadonlyWikiPolicy] controls readonly access to wiki pages. 21 * !DefaultPermissionPolicy checks for the traditional coarse-grained permissions described in TracPermissions. 22 * !LegacyAttachmentPolicy uses the coarse-grained permissions to check permissions on attachments. 20 23 21 24 Among the optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See 22 [trac:source:branches/1. 0-stable/tracopt/perm/authz_policy.py authz_policy.py] for details.23 24 Another p opular permission policy [#AuthzSourcePolicy], re-implements the pre-0.12 support for checking fine-grained permissions limited to Subversion repositories in terms of the newsystem.25 26 See also [trac:source:branches/1. 0-stable/sample-plugins/permissions sample-plugins/permissions] for more examples.25 [trac:source:branches/1.2-stable/tracopt/perm/authz_policy.py authz_policy.py] for details. 26 27 Another permission policy [#AuthzSourcePolicy], uses the [http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html path-based authorization] defined by Subversion to enforce permissions on the version control system. 28 29 See also [trac:source:branches/1.2-stable/sample-plugins/permissions sample-plugins/permissions] for more examples. 27 30 28 31 === !AuthzPolicy === 29 32 ==== Configuration ==== 30 * Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for othersthan the webuser. If the file contains non-ASCII characters, the UTF-8 encoding should be used.33 * Put a [http://swapoff.org/files/authzpolicy.conf conf] file in a secure location on the server, not readable by users other than the webuser. If the file contains non-ASCII characters, the UTF-8 encoding should be used. 31 34 * Update your `trac.ini`: 32 35 1. modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section: 33 36 {{{#!ini 34 37 [trac] 35 ...36 38 permission_policies = AuthzPolicy, ReadonlyWikiPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy 37 39 }}} 38 1. add a new `[authz_policy]` section :40 1. add a new `[authz_policy]` section and point the `authz_file` option to the conf file: 39 41 {{{#!ini 40 42 [authz_policy]