Edgewall Software

Opened 5 years ago

Closed 5 years ago

#12729 closed defect (fixed)

Authz policy doesn't apply anonymous permissions to authenticated group

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Milestone: 1.0.14
Component: general Version:
Severity: normal Keywords: authzpolicy permissions
Cc: Branch:
Release Notes:

The metagroup authenticated inherits permissions from anonymous in AuthzPolicy.

API Changes:
Internal Changes:


AuthzPolicy claims to follow the normal Trac permission rules, however the authenticated group does not inherit permissions granted to anonymous.

For example, the following grants MILESTONE_VIEW on milestone1 to anonymous users, but not authenticated users as would be expected:

anonymous = MILESTONE_VIEW

authenticated users can view the milestone when the following rule is added:

authenticated = MILESTONE_VIEW

The following change seems to fix the issue:

  • tracopt/perm/authz_policy.py

    diff --git a/tracopt/perm/authz_policy.py b/tracopt/perm/authz_policy.py
    index 3c80f6ba5..58363ac5d 100644
    a b class AuthzPolicy(Component):  
    234234        # TODO: Handle permission negation in sections. eg. "if in this
    235235        # ticket, remove TICKET_MODIFY"
    236236        if username and username != 'anonymous':
    237             valid_users = ['*', 'authenticated', username]
     237            valid_users = ['*', 'authenticated', 'anonymous', username]
    238238        else:
    239239            valid_users = ['*', 'anonymous']
    240240        for resource_section in [a for a in self.authz.sections()

Attachments (0)

Change History (1)

comment:1 by Ryan J Ollos, 5 years ago

Release Notes: modified (diff)
Resolution: fixed
Status: assignedclosed

Committed in [15660:15663].

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Ryan J Ollos to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.