Opened 10 years ago
Last modified 15 months ago
#11651 new defect
Attachment example on TracFineGrainedPermissions page is incorrect
Reported by: | Ryan J Ollos | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | next-stable-1.6.x |
Component: | attachment | Version: | |
Severity: | normal | Keywords: | |
Cc: | authzpolicy | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
There is an example on TracFineGrainedPermissions#UsageNotes which appears to be incorrect:
[wiki:WikiStart@*/attachment/*] [wiki:WikiStart@117/attachment/FOO.JPG]
It appears that a forward-slash is used rather than a colon:
[wiki:WikiStart@*/attachment:*] [wiki:WikiStart@117/attachment:FOO.JPG]
However, it also appears to be the case that the trailing @*
is required for the case that the resource is specified:
[wiki:WikiStart@117/attachment:FOO.JPG@*]
The documentation states that it should be added implicitly, so this might be a defect.
I tested with attachment RepositoryBrowser.png
on WikiStart
, and found the following in the logs when viewing the attachment:
04:18:14 PM Trac[authz_policy] DEBUG: Checking ATTACHMENT_VIEW on wiki:WikiStart@*/attachment:RepositoryBrowser.png@*
The following policy prevents viewing the attachment:
[wiki:WikiStart@*/attachment:RepositoryBrowser.png@*] * = !ATTACHMENT_VIEW
However, the policy doesn't work if the trailing @*
is omitted.
Attachments (0)
Change History (9)
comment:1 by , 10 years ago
comment:2 by , 10 years ago
Replying to rjollos:
There is an example on TracFineGrainedPermissions#UsageNotes which appears to be incorrect:
[wiki:WikiStart@*/attachment/*] [wiki:WikiStart@117/attachment/FOO.JPG]
Documentation fixed in wiki:TracFineGrainedPermissions?action=diff&version=52&old_version=50. I'll test the changes in comment:1 next.
comment:3 by , 10 years ago
I noticed another issue while confirming this issue.
When latest version of WikiStart
is 42
and authz policy has the following, it doesn't block for viewing /wiki/WikiStart
. It block for viewing /wiki/WikiStart?version=42
. I think that the policy should block it.
[wiki:WikiStart@42] * = !WIKI_VIEW
comment:4 by , 10 years ago
Milestone: | next-stable-1.0.x → 1.0.3 |
---|
comment:5 by , 10 years ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:6 by , 10 years ago
Milestone: | 1.0.3 → next-stable-1.0.x |
---|---|
Owner: | removed |
Status: | assigned → new |
comment:7 by , 8 years ago
Milestone: | next-stable-1.0.x → next-stable-1.2.x |
---|
Moved ticket assigned to next-stable-1.0.x since maintenance of 1.0.x is coming to a close. Please move the ticket back if it's critical to fix on 1.0.x.
comment:8 by , 5 years ago
Milestone: | next-stable-1.2.x → next-stable-1.4.x |
---|
Replying to rjollos:
Currently,
@*
is automatically added to it only when a policy has no@
character. I think we could check like this.tracopt/perm/authz_policy.py
'@' not in resource_glob: