Opened 13 years ago
Last modified 10 years ago
#10666 new defect
Setting fine grained permissions using AuthzPolicy does not work
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | low | Milestone: | next-major-releases |
| Component: | plugin/git | Version: | |
| Severity: | normal | Keywords: | authzpolicy verify |
| Cc: | leho@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
While attempting to use AuthzPolicy to set fine-grained (per-branch) permissions, I found out that there seemed to be no way to set these permissions for a git repository (simply using repository: did not do anything). After reading up a bit on how the AuthzPolicy permissions work, I found out that these apparently make use of 'resource descriptors' to check whether a user has permission to do something, and digging through the TracGit source brought me to the conclusion that there does not seem to be any kind of implementation of resource descriptors - which, of course, means I have no way of addressing a specific branch in my permissions configuration.
I've come to the above conclusion by attempting to disallow all features for all repositories by setting user permissions on [repository:*@*] to nothing, which did not do anything and still left all repositories and branches visible. Disallowing everything on [*] worked fine, so I know that at least the permissions system itself is working.
Unless I'm missing something, it seems a rather vital feature is missing. Is this something that is planned to be implemented, or have I overlooked something and is this functionality already present?
Attachments (0)
Change History (5)
comment:1 by , 12 years ago
| Cc: | added |
|---|
comment:2 by , 12 years ago
| Keywords: | authzpolicy verify added |
|---|---|
| Milestone: | → next-major-releases |
| Priority: | normal → low |
comment:3 by , 10 years ago
For me, this is a major showstopper. I'm migrating from SVN to git, and SVN had authz support…
Access control on a repository and branch level would be enough for me for now, I guess.
follow-up: 5 comment:4 by , 10 years ago
Replying to jamsoftgamedev@…:
I've come to the above conclusion by attempting to disallow all features for all repositories by setting user permissions on [repository:*@*] to nothing, which did not do anything and still left all repositories and branches visible.
I can not reproduce this. Has this been fixed at some point? Any of the following work for me as expected:
Deny access to all repositories in Trac's source browser:
[repository:*@*] * =
Deny access to one repository:
[repository:someTestRepo.git@*] * =
Deny access to a specific path:
[repository:someTestRepo.git@*/source:someTestPath/*@*] * =
The only missing functionality I see is restricting access by Git branch. It's not mentioned on TracFineGrainedPermissions#AuthzPolicy and I'm not sure how it would fit in this scheme.
comment:5 by , 10 years ago
Replying to psuter:
The only missing functionality I see is restricting access by Git branch. It's not mentioned on TracFineGrainedPermissions#AuthzPolicy and I'm not sure how it would fit in this scheme.
For comparison:
- Mercurial's bundled AclExtension supports restricting access by Mercurial branches via special configuration sections:
Each Mercurial repository has its own
[acl.deny.branches] frozen-branch = * * = bad-user [acl.allow.branches] branch-a = user-1, user-2, user-3 branch-b = user-1 * = super-user branch-for-tests = *
hgrcconfiguration file that can contain these sections (among others).
- Git's bundled update-paranoid hook supports restricting access by Git branches via special configuration sections:
Each Git user has its own
[repository "acls"] allow = heads/master allow = CDUR for heads/jd/
.aclfile in a specialacls.gitrepository.)
Not vital for me… but sure, we could fix this one day.