#11651 new defect

Attachment example on TracFineGrainedPermissions page is incorrect

Reported by:	Ryan J Ollos	Owned by:
Priority:	normal	Milestone:	next-stable-1.6.x
Component:	attachment	Version:
Severity:	normal	Keywords:
Cc:	authzpolicy	Branch:
Release Notes:
API Changes:
Internal Changes:

Description

There is an example on TracFineGrainedPermissions#UsageNotes which appears to be incorrect:

[wiki:WikiStart@*/attachment/*]
[wiki:WikiStart@117/attachment/FOO.JPG]

It appears that a forward-slash is used rather than a colon:

[wiki:WikiStart@*/attachment:*]
[wiki:WikiStart@117/attachment:FOO.JPG]

However, it also appears to be the case that the trailing @* is required for the case that the resource is specified:

[wiki:WikiStart@117/attachment:FOO.JPG@*]

The documentation states that it should be added implicitly, so this might be a defect.

I tested with attachment RepositoryBrowser.png on WikiStart, and found the following in the logs when viewing the attachment:

04:18:14 PM Trac[authz_policy] DEBUG: Checking ATTACHMENT_VIEW on wiki:WikiStart@*/attachment:RepositoryBrowser.png@*

The following policy prevents viewing the attachment:

[wiki:WikiStart@*/attachment:RepositoryBrowser.png@*]
* = !ATTACHMENT_VIEW

However, the policy doesn't work if the trailing @* is omitted.

Change History (9)

in reply to: description comment:1 by Jun Omae, 10 years ago

Replying to rjollos:

The following policy prevents viewing the attachment:
[wiki:WikiStart@*/attachment:RepositoryBrowser.png@*]
* = !ATTACHMENT_VIEW
However, the policy doesn't work if the trailing @* is omitted.

Currently, @* is automatically added to it only when a policy has no @ character. I think we could check like this.

tracopt/perm/authz_policy.py

diff --git a/tracopt/perm/authz_policy.py b/tracopt/perm/authz_policy.py
index 45135f4..9a5d2d0 100644

-              a
 from fnmatch import fnmatchcase
 from itertools import groupby
 import os
+import re
 from trac.core import *
 from trac.config import ConfigurationError, Option
-…
+               class AuthzPolicy(Component):
         return '/'.join(flatten(resource))
+    _resource_version_re = re.compile(r'@[^:/@]*\Z')
     def authz_permissions(self, resource_key, username):
         # TODO: Handle permission negation in sections. eg. "if in this
         # ticket, remove TICKET_MODIFY"
-…
+               class AuthzPolicy(Component):
         for resource_section in [a for a in self.authz.sections
                                    if a != 'groups']:
             resource_glob = to_unicode(resource_section)
             if '@' not in resource_glob:
+            if not self._resource_version_re.search(resource_glob):
                 resource_glob += '@*'
             if fnmatchcase(resource_key, resource_glob):

in reply to: description comment:2 by Ryan J Ollos, 10 years ago

Replying to rjollos:

There is an example on TracFineGrainedPermissions#UsageNotes which appears to be incorrect:
[wiki:WikiStart@*/attachment/*]
[wiki:WikiStart@117/attachment/FOO.JPG]

Documentation fixed in wiki:TracFineGrainedPermissions?action=diff&version=52&old_version=50. I'll test the changes in comment:1 next.

Last edited 10 years ago by Ryan J Ollos (previous) (diff)

comment:3 by Jun Omae, 10 years ago

I noticed another issue while confirming this issue.

When latest version of WikiStart is 42 and authz policy has the following, it doesn't block for viewing /wiki/WikiStart. It block for viewing /wiki/WikiStart?version=42. I think that the policy should block it.

[wiki:WikiStart@42]
* = !WIKI_VIEW

comment:4 by Ryan J Ollos, 10 years ago

Milestone:	next-stable-1.0.x → 1.0.3

comment:5 by Ryan J Ollos, 10 years ago

Owner:	set to Ryan J Ollos
Status:	new → assigned

comment:6 by Ryan J Ollos, 10 years ago

Milestone:	1.0.3 → next-stable-1.0.x
Owner:	Ryan J Ollos removed
Status:	assigned → new

comment:7 by Ryan J Ollos, 8 years ago

Milestone:	next-stable-1.0.x → next-stable-1.2.x

Moved ticket assigned to next-stable-1.0.x since maintenance of 1.0.x is coming to a close. Please move the ticket back if it's critical to fix on 1.0.x.

comment:8 by Ryan J Ollos, 5 years ago

Milestone:	next-stable-1.2.x → next-stable-1.4.x

comment:9 by Ryan J Ollos, 14 months ago

Milestone:	next-stable-1.4.x → next-stable-1.6.x

Milestone renamed

Modify Ticket

Change Properties

Summary:
Description:	There is an example on TracFineGrainedPermissions#UsageNotes which appears to be incorrect: {{{#!ini [wiki:WikiStart@/attachment/] [wiki:WikiStart@117/attachment/FOO.JPG] }}} It appears that a forward-slash is used rather than a colon: {{{#!ini [wiki:WikiStart@/attachment:] [wiki:WikiStart@117/attachment:FOO.JPG] }}} However, it also appears to be the case that the trailing `@` is required for the case that the resource is specified: {{{#!ini [wiki:WikiStart@117/attachment:FOO.JPG@] }}} The documentation states that it should be added implicitly, so this might be a defect. I tested with attachment `RepositoryBrowser.png` on `WikiStart`, and found the following in the logs when viewing the attachment: {{{ 04:18:14 PM Trac[authz_policy] DEBUG: Checking ATTACHMENT_VIEW on wiki:WikiStart@/attachment:RepositoryBrowser.png@ }}} The following policy prevents viewing the attachment: {{{#!ini [wiki:WikiStart@/attachment:RepositoryBrowser.png@] * = !ATTACHMENT_VIEW }}} However, the policy doesn't work if the trailing `@*` is omitted. You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as new The ticket will remain with no owner.

unassign The ticket will be disowned.

resolve as The resolution will be set. Next status will be 'closed'.

assign The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Download in other formats:

Context Navigation