id summary reporter owner description type status priority milestone component version severity resolution keywords cc branch changelog apichanges internalchanges 10203 [PATCH] AuthzPolicy to allow multiple user/group permissions Brian Wasserman "The current implementation of [trac:browser/tags/trac-0.12.2/tracopt/perm/authz_policy.py AuthzPolicy] does not support a user being a member of multiple groups that simultaneously define permissions either in the same section/path definition or via inheritance. This is because permission checks are only evaluated for the first matching rule with a matching user or group for which a user is a member. The authzpolicy.conf below currently evaluates to just WIKI_MODIFY for !wiki:TestStuff* paths, which effectively denies WIKI_VIEW and WIKI_CREATE. ==== authzpolicy.conf ==== {{{ [groups] wikiviewer = testuser1, testuser2 wikimodifier = testuser2 wikicreator = testuser2 [wiki:TestStuff*] @wikimodifier = WIKI_MODIFY @wikicreator = WIKI_CREATE [wiki:*] @wikiviewer = WIKI_VIEW }}} I am illustrating how the proposed enhancement will allow both users to view all wiki pages, yet testuser2 will be able to both create and modify wiki pages that match the path !wiki:TestStuff*. Notice how WIKI_VIEW access is preserved/inherited via the wiki:* path while @wikimodifier and @wikicreator are effectively the union of both permission groups. I am attaching a proposed patch that would effectively do what I am proposing. The gist is as follows: 1. Pass ''action'' to authz_permissions call so it can be action-aware. 1. Added anonymous to authenticated valid_users so authenticated users can inherit permissions from anonymous. 1. Only return permissions on match if it is explicitly granted or denied. The only caveat is that you only should deny access to anonymous or authenticated and not use other groups as a way to negate permissions. For example, if anonymous has WIKI_VIEW on wiki:* then doesn't have a group @limiteduser remove WIKI_VIEW. Instead restrict access to anonymous and use a group @specialuser grant additional access." enhancement new normal undecided general normal permission policies policy AuthzPolicy authzpolicy patch Thijs Triemstra