Edgewall Software

Extension Point : IPermissionPolicy

InterfaceIPermissionPolicySince0.11
Moduletrac.permSourceperm.py

The IPermissionPolicy implementations define policies for how to check for (fine grained) permissions.

Purpose

The TracPermissions system defines coarse permissions to control which users have access to which modules. TracFineGrainedPermissions introduced more fine grained control over permissions for individual resources. The IPermissionPolicy interface is used to implement this new system, re-implement the legacy behavior and allow plugins to extend the permission policies.

Usage

Implementing the interface follows the standard guidelines found in TracDev/ComponentArchitecture and of course TracDev/PluginDevelopment.

Only the permission_policies configured in trac.ini will be used (in that order).

The policy is called for each action on a resource by a user. It can explicitly allow or deny that action, or abstain to defer the check to the next policy in the chain. (Note: It is first also called without a specific resource for a coarse realm permission check. See API Reference for details.)

Examples

See #DebugPolicy, #PublicWikiPolicy, #SecurityTicketsPolicy

  • Mailing list post with an example IPermissionPolicy implementation that blocks access to ticket 666. Here an updated version:
    from trac.core import *
    from trac.perm import IPermissionPolicy
    
    class Deny666(Component):
        implements(IPermissionPolicy)
    
        def check_permission(self, action, username, resource, perm):
            if resource is not None and resource.realm == 'ticket' and \
                    resource.id == 666:
                self.log.info("This is the Devil's work")
                return False
    
  • Another mailing list post with an example IPermissionPolicy implementation based on TagsPlugin. (Adding a tag 'john:view' on a wiki page or ticket would allow the user 'john' to WIKI_VIEW or TICKET_VIEW that resource. Adding a tag 'john:-view' would disallow it.) Here an updated version:
    from trac.core import *
    from trac.perm import IPermissionPolicy
    
    class TagPolicy(Component):
        """ Security policy based on tags. """
        implements(IPermissionPolicy)
    
         def check_permission(self, action, username, resource, perm):
            if resource is None: return None
    
            if action.startswith('WIKI_') or action.startswith('TICKET_'):
                from tractags.api import TagSystem
                
                class FakeRequest(object):
                    def __init__(self, perm):
                        self.perm = perm
    
                req = FakeRequest(perm)
                tags = TagSystem().get_tags(req, resource)
    
                permission = action.lower().split('_')[1]
                ptag = ':'.join((username, permission))
                if ptag in tags:
                    return True
    
                nptag = ':-'.join((username, permission))
                if nptag in tags:
                    return False
    
  • Another discussion involves a special policy checking ticket resolution and recursive permissions tests.

Available Implementations

trac.perm.DefaultPermissionPolicy

Reimplements the pre-0.11 behavior which checks for the traditional coarse grained style permissions described in TracPermissions.

trac.attachment.LegacyAttachmentPolicy

Reimplements the legacy coarse grained permissions checks for attachments, by mapping ATTACHMENT_* permissions to realm specific ones. Allows other plugins to participate in this by implementing ILegacyAttachmentPolicyDelegate.

tracopt.perm.authz_policy.AuthzPolicy

See TracFineGrainedPermissions

trac.versioncontrol.svn_authz.AuthzSourcePolicy

See TracFineGrainedPermissions

sample-plugins.permissions.debug_perm.DebugPolicy

A sample plugin that is only useful for Trac Development. It verifies the well-formedness of the permission checks.

sample-plugins.permissions.public_wiki_policy.PublicWikiPolicy

A sample plugin that allows public access to some wiki pages, illustrating how to check permission on realms.

sample-plugins.permissions.vulnerability_tickets.SecurityTicketsPolicy

A sample plugin that prevents public access to security sensitive tickets.

Additional Information and References

Last modified 10 years ago Last modified on Jul 28, 2014, 7:56:21 PM
Note: See TracWiki for help on using the wiki.