Edgewall Software

Opened 11 years ago

Last modified 9 years ago

#10203 new enhancement

[PATCH] AuthzPolicy to allow multiple user/group permissions

Reported by: Brian Wasserman <brian-trac@…> Owned by:
Priority: normal Milestone: undecided
Component: general Version:
Severity: normal Keywords: permission policies policy AuthzPolicy authzpolicy patch
Cc: Thijs Triemstra Branch:
Release Notes:
API Changes:
Internal Changes:


The current implementation of AuthzPolicy does not support a user being a member of multiple groups that simultaneously define permissions either in the same section/path definition or via inheritance. This is because permission checks are only evaluated for the first matching rule with a matching user or group for which a user is a member. The authzpolicy.conf below currently evaluates to just WIKI_MODIFY for wiki:TestStuff* paths, which effectively denies WIKI_VIEW and WIKI_CREATE.


wikiviewer = testuser1, testuser2
wikimodifier = testuser2
wikicreator = testuser2

@wikimodifier = WIKI_MODIFY
@wikicreator = WIKI_CREATE

@wikiviewer = WIKI_VIEW

I am illustrating how the proposed enhancement will allow both users to view all wiki pages, yet testuser2 will be able to both create and modify wiki pages that match the path wiki:TestStuff*. Notice how WIKI_VIEW access is preserved/inherited via the wiki:* path while @wikimodifier and @wikicreator are effectively the union of both permission groups.

I am attaching a proposed patch that would effectively do what I am proposing. The gist is as follows:

  1. Pass action to authz_permissions call so it can be action-aware.
  2. Added anonymous to authenticated valid_users so authenticated users can inherit permissions from anonymous.
  3. Only return permissions on match if it is explicitly granted or denied.

The only caveat is that you only should deny access to anonymous or authenticated and not use other groups as a way to negate permissions. For example, if anonymous has WIKI_VIEW on wiki:* then doesn't have a group @limiteduser remove WIKI_VIEW. Instead restrict access to anonymous and use a group @specialuser grant additional access.

Attachments (1)

authz_policy.patch (8.7 KB ) - added by Brian Wasserman <brian-trac@…> 11 years ago.
AuthzPolicy patch to allow users to be members of multiple groups and their accesses be a union of all permissions

Download all attachments as: .zip

Change History (4)

by Brian Wasserman <brian-trac@…>, 11 years ago

Attachment: authz_policy.patch added

AuthzPolicy patch to allow users to be members of multiple groups and their accesses be a union of all permissions

comment:1 by Thijs Triemstra, 11 years ago

Cc: Thijs Triemstra added
Component: admin/consolegeneral
Keywords: patch added
Summary: AuthzPolicy to allow multiple user/group permissions[PATCH] AuthzPolicy to allow multiple user/group permissions

comment:2 by Christian Boos, 10 years ago

Keywords: authzpolicy added; authz_policy removed

comment:3 by Christian Boos, 9 years ago

Milestone: undecided

All the tickets for {20} from last year have probably been seen multiple times by now, yet are still to be triaged…

Modify Ticket

Change Properties
Set your email in Preferences
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.