Allow preference panel to be hidden from anonymous users

[Ryan J Ollos]

I was reminded by looking at the ​DESI Trac site of an issue I encountered on a Trac site that I helped maintain before it was retired. You can see on the DESI site that all permissions have been revoked for anonymous. However, since the site is publicly accessible, anonymous sessions will be created in the database. The sessions, and the ability to modify ​preferences, serve no purpose since anonymous has no permissions.

On the site I previously managed, I was told the following by the original maintainer:

Trac has the concept or an authenticated vs anonymous users. By default an anonymous user can view some pages, while a user must be authenticated to make changes.

Since our trac is accessible from the Internet, I set up permissions such that you must be authenticated to have any permissions (note: the site uses form-based auth with AccountManager).

However, you can still try and access Trac, creating entries in session table. Specifically, a DOS can fill up this table.

It sounds like other changes are needed in addition to preventing access to /prefs. Maybe an allow_anonymous_sessions option is appropriate?

It's possible to work around the issue by using HTTP authentication and requiring authentication to access /, but a change like that described above is probably needed for form-based authentication.

[Ryan J Ollos]

Replying to Ryan J Ollos:

It sounds like other changes are needed in addition to preventing access to /prefs. Maybe an allow_anonymous_sessions option is appropriate?

Or a permission may be more appropriate, e.g. PREFS_MODIFY. We could provide the ability to revoke permissions for admin panels using TracFineGrainedPermissions, using permission checks like PREFS_MODIFY in req.perm('prefs', 'notification').

[Peter Suter]

(Some Notification preference panels are are already hidden from anonymous users​. If a general permission mechanism for this is implemented, then those could maybe profit from that, too?)