Context Navigation

Modify ↓

#12729 closed defect (fixed)

Authz policy doesn't apply anonymous permissions to authenticated group

Reported by:	Ryan J Ollos	Owned by:	Ryan J Ollos
Priority:	normal	Milestone:	1.0.14
Component:	general	Version:
Severity:	normal	Keywords:	authzpolicy permissions
Cc:		Branch:
Release Notes:	The metagroup `authenticated` inherits permissions from `anonymous` in `AuthzPolicy`.
API Changes:
Internal Changes:

Description

AuthzPolicy claims to follow the normal Trac permission rules , however the authenticated group does not inherit permissions granted to anonymous.

For example, the following grants MILESTONE_VIEW on milestone1 to anonymous users, but not authenticated users as would be expected:

[milestone:milestone1]
anonymous = MILESTONE_VIEW

authenticated users can view the milestone when the following rule is added:

[milestone:milestone1]
authenticated = MILESTONE_VIEW

The following change seems to fix the issue:

tracopt/perm/authz_policy.py

diff --git a/tracopt/perm/authz_policy.py b/tracopt/perm/authz_policy.py
index 3c80f6ba5..58363ac5d 100644

                class AuthzPolicy(Component):
         # TODO: Handle permission negation in sections. eg. "if in this
         # ticket, remove TICKET_MODIFY"
         if username and username != 'anonymous':
             valid_users = ['*', 'authenticated', username]
+            valid_users = ['*', 'authenticated', 'anonymous', username]
         else:
             valid_users = ['*', 'anonymous']
         for resource_section in [a for a in self.authz.sections()

Attachments (0)

Change History (1)

comment:1 by Ryan J Ollos, 8 years ago

Release Notes:	modified (diff)
Resolution:	→ fixed
Status:	assigned → closed

Committed in [15660:15663].

Modify Ticket

Change Properties

Summary:
Description:	`AuthzPolicy` claims to follow the [browser:tags/trac-1.0.13/tracopt/perm/authz_policy.py@:102,128#L98 normal Trac permission rules], however the //authenticated// group does not inherit permissions granted to //anonymous//. For example, the following grants `MILESTONE_VIEW` on milestone1 to //anonymous// users, but not //authenticated// users as would be expected: {{{#!ini [milestone:milestone1] anonymous = MILESTONE_VIEW }}} //authenticated// users can view the milestone when the following rule is added: {{{#!ini [milestone:milestone1] authenticated = MILESTONE_VIEW }}} The following change seems to fix the issue: {{{#!diff diff --git a/tracopt/perm/authz_policy.py b/tracopt/perm/authz_policy.py index 3c80f6ba5..58363ac5d 100644 --- a/tracopt/perm/authz_policy.py +++ b/tracopt/perm/authz_policy.py @@ -234,7 +234,7 @@ class AuthzPolicy(Component): # TODO: Handle permission negation in sections. eg. "if in this # ticket, remove TICKET_MODIFY" if username and username != 'anonymous': - valid_users = ['', 'authenticated', username] + valid_users = ['', 'authenticated', 'anonymous', username] else: valid_users = ['*', 'anonymous'] for resource_section in [a for a in self.authz.sections() }}} You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:	The metagroup `authenticated` inherits permissions from `anonymous` in `AuthzPolicy`.
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Ryan J Ollos.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Ryan J Ollos to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: