Opened 7 years ago
Closed 7 years ago
#12729 closed defect (fixed)
Authz policy doesn't apply anonymous permissions to authenticated group — at Version 1
| Reported by: | Ryan J Ollos | Owned by: | Ryan J Ollos |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.0.14 |
| Component: | general | Version: | |
| Severity: | normal | Keywords: | authzpolicy permissions |
| Cc: | Branch: | ||
| Release Notes: |
The metagroup |
||
| API Changes: | |||
| Internal Changes: | |||
Description
AuthzPolicy claims to follow the normal Trac permission rules, however the authenticated group does not inherit permissions granted to anonymous.
For example, the following grants MILESTONE_VIEW on milestone1 to anonymous users, but not authenticated users as would be expected:
[milestone:milestone1] anonymous = MILESTONE_VIEW
authenticated users can view the milestone when the following rule is added:
[milestone:milestone1] authenticated = MILESTONE_VIEW
The following change seems to fix the issue:
-
tracopt/perm/authz_policy.py
diff --git a/tracopt/perm/authz_policy.py b/tracopt/perm/authz_policy.py index 3c80f6ba5..58363ac5d 100644
a b class AuthzPolicy(Component): 234 234 # TODO: Handle permission negation in sections. eg. "if in this 235 235 # ticket, remove TICKET_MODIFY" 236 236 if username and username != 'anonymous': 237 valid_users = ['*', 'authenticated', username]237 valid_users = ['*', 'authenticated', 'anonymous', username] 238 238 else: 239 239 valid_users = ['*', 'anonymous'] 240 240 for resource_section in [a for a in self.authz.sections()
Change History (1)
comment:1 by , 7 years ago
| Release Notes: | modified (diff) |
|---|---|
| Resolution: | → fixed |
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Committed in [15660:15663].