Edgewall Software
Modify

Opened 7 years ago

Last modified 5 years ago

#10666 new defect

Setting fine grained permissions using AuthzPolicy does not work

Reported by: jamsoftgamedev@… Owned by:
Priority: low Milestone: next-major-releases
Component: plugin/git Version:
Severity: normal Keywords: authzpolicy verify
Cc: leho@… Branch:
Release Notes:
API Changes:

Description

While attempting to use AuthzPolicy to set fine-grained (per-branch) permissions, I found out that there seemed to be no way to set these permissions for a git repository (simply using repository: did not do anything). After reading up a bit on how the AuthzPolicy permissions work, I found out that these apparently make use of 'resource descriptors' to check whether a user has permission to do something, and digging through the TracGit source brought me to the conclusion that there does not seem to be any kind of implementation of resource descriptors - which, of course, means I have no way of addressing a specific branch in my permissions configuration.

I've come to the above conclusion by attempting to disallow all features for all repositories by setting user permissions on [repository:*@*] to nothing, which did not do anything and still left all repositories and branches visible. Disallowing everything on [*] worked fine, so I know that at least the permissions system itself is working.

Unless I'm missing something, it seems a rather vital feature is missing. Is this something that is planned to be implemented, or have I overlooked something and is this functionality already present?

Attachments (0)

Change History (5)

comment:1 by lkraav <leho@…>, 7 years ago

Cc: leho@… added

comment:2 by Christian Boos, 6 years ago

Keywords: authzpolicy verify added
Milestone: next-major-releases
Priority: normallow

Not vital for me… but sure, we could fix this one day.

comment:3 by anonymous, 5 years ago

For me, this is a major showstopper. I'm migrating from SVN to git, and SVN had authz support…

Access control on a repository and branch level would be enough for me for now, I guess.

in reply to:  description ; comment:4 by Peter Suter, 5 years ago

Replying to jamsoftgamedev@…:

I've come to the above conclusion by attempting to disallow all features for all repositories by setting user permissions on [repository:*@*] to nothing, which did not do anything and still left all repositories and branches visible.

I can not reproduce this. Has this been fixed at some point? Any of the following work for me as expected:

Deny access to all repositories in Trac's source browser:

[repository:*@*]
* =

Deny access to one repository:

[repository:someTestRepo.git@*]
* =

Deny access to a specific path:

[repository:someTestRepo.git@*/source:someTestPath/*@*]
* =

The only missing functionality I see is restricting access by Git branch. It's not mentioned on TracFineGrainedPermissions#AuthzPolicy and I'm not sure how it would fit in this scheme.

in reply to:  4 comment:5 by Peter Suter, 5 years ago

Replying to psuter:

The only missing functionality I see is restricting access by Git branch. It's not mentioned on TracFineGrainedPermissions#AuthzPolicy and I'm not sure how it would fit in this scheme.

For comparison:

  • Mercurial's bundled AclExtension supports restricting access by Mercurial branches via special configuration sections:
    [acl.deny.branches] 
    frozen-branch = * 
    * = bad-user 
    
    [acl.allow.branches] 
    branch-a = user-1, user-2, user-3 
    branch-b = user-1 
    * = super-user 
    branch-for-tests = * 
    
    Each Mercurial repository has its own hgrc configuration file that can contain these sections (among others).
  • Git's bundled update-paranoid hook supports restricting access by Git branches via special configuration sections:
    [repository "acls"]
    allow = heads/master
    allow = CDUR for heads/jd/
    
    Each Git user has its own .acl file in a special acls.git repository.)

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned. Next status will be 'new'.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.