Edgewall Software
Modify

Opened 8 years ago

Last modified 2 years ago

#11651 new defect

Attachment example on TracFineGrainedPermissions page is incorrect

Reported by: Ryan J Ollos Owned by:
Priority: normal Milestone: next-stable-1.4.x
Component: attachment Version:
Severity: normal Keywords:
Cc: authzpolicy Branch:
Release Notes:
API Changes:
Internal Changes:

Description

There is an example on TracFineGrainedPermissions#UsageNotes which appears to be incorrect:

[wiki:WikiStart@*/attachment/*]
[wiki:WikiStart@117/attachment/FOO.JPG]

It appears that a forward-slash is used rather than a colon:

[wiki:WikiStart@*/attachment:*]
[wiki:WikiStart@117/attachment:FOO.JPG]

However, it also appears to be the case that the trailing @* is required for the case that the resource is specified:

[wiki:WikiStart@117/attachment:FOO.JPG@*]

The documentation states that it should be added implicitly, so this might be a defect.

I tested with attachment RepositoryBrowser.png on WikiStart, and found the following in the logs when viewing the attachment:

04:18:14 PM Trac[authz_policy] DEBUG: Checking ATTACHMENT_VIEW on wiki:WikiStart@*/attachment:RepositoryBrowser.png@*

The following policy prevents viewing the attachment:

[wiki:WikiStart@*/attachment:RepositoryBrowser.png@*]
* = !ATTACHMENT_VIEW

However, the policy doesn't work if the trailing @* is omitted.

Attachments (0)

Change History (8)

in reply to:  description comment:1 by Jun Omae, 8 years ago

Replying to rjollos:

The following policy prevents viewing the attachment:

[wiki:WikiStart@*/attachment:RepositoryBrowser.png@*]
* = !ATTACHMENT_VIEW

However, the policy doesn't work if the trailing @* is omitted.

Currently, @* is automatically added to it only when a policy has no @ character. I think we could check like this.

  • tracopt/perm/authz_policy.py

    diff --git a/tracopt/perm/authz_policy.py b/tracopt/perm/authz_policy.py
    index 45135f4..9a5d2d0 100644
    a b  
    1717from fnmatch import fnmatchcase
    1818from itertools import groupby
    1919import os
     20import re
    2021
    2122from trac.core import *
    2223from trac.config import ConfigurationError, Option
    class AuthzPolicy(Component):  
    241242
    242243        return '/'.join(flatten(resource))
    243244
     245    _resource_version_re = re.compile(r'@[^:/@]*\Z')
     246
    244247    def authz_permissions(self, resource_key, username):
    245248        # TODO: Handle permission negation in sections. eg. "if in this
    246249        # ticket, remove TICKET_MODIFY"
    class AuthzPolicy(Component):  
    251254        for resource_section in [a for a in self.authz.sections
    252255                                   if a != 'groups']:
    253256            resource_glob = to_unicode(resource_section)
    254             if '@' not in resource_glob:
     257            if not self._resource_version_re.search(resource_glob):
    255258                resource_glob += '@*'
    256259
    257260            if fnmatchcase(resource_key, resource_glob):

in reply to:  description comment:2 by Ryan J Ollos, 8 years ago

Replying to rjollos:

There is an example on TracFineGrainedPermissions#UsageNotes which appears to be incorrect:

[wiki:WikiStart@*/attachment/*]
[wiki:WikiStart@117/attachment/FOO.JPG]

Documentation fixed in wiki:TracFineGrainedPermissions?action=diff&version=52&old_version=50. I'll test the changes in comment:1 next.

Last edited 8 years ago by Ryan J Ollos (previous) (diff)

comment:3 by Jun Omae, 8 years ago

I noticed another issue while confirming this issue.

When latest version of WikiStart is 42 and authz policy has the following, it doesn't block for viewing /wiki/WikiStart. It block for viewing /wiki/WikiStart?version=42. I think that the policy should block it.

[wiki:WikiStart@42]
* = !WIKI_VIEW

comment:4 by Ryan J Ollos, 8 years ago

Milestone: next-stable-1.0.x1.0.3

comment:5 by Ryan J Ollos, 8 years ago

Owner: set to Ryan J Ollos
Status: newassigned

comment:6 by Ryan J Ollos, 7 years ago

Milestone: 1.0.3next-stable-1.0.x
Owner: Ryan J Ollos removed
Status: assignednew

comment:7 by Ryan J Ollos, 6 years ago

Milestone: next-stable-1.0.xnext-stable-1.2.x

Moved ticket assigned to next-stable-1.0.x since maintenance of 1.0.x is coming to a close. Please move the ticket back if it's critical to fix on 1.0.x.

comment:8 by Ryan J Ollos, 2 years ago

Milestone: next-stable-1.2.xnext-stable-1.4.x

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.