AuthzPolicy fine permissions for timeline and search

[humitos@…]

Hi,

I'm using trac for years now, and during all this time I've been using AuthzPolicy to define permissions. Today I noticed that all my users never saw the SEARCH and TIMELINE buttons, so I went my authzpolicy.conf file and added this

[*]
@administrators = TRAC_ADMIN
authenticated = SEARCH_VIEW, TIMELINE_VIEW

but it didn't work.

Checking the logs I saw this for SEARCH (notice the None at the end)

2017-09-10 13:57:38,827 Trac[authz_policy] DEBUG: Checking SEARCH_VIEW on *:*@*
2017-09-10 13:57:38,828 Trac[authz_policy] DEBUG: *:*@* matched section *:*@* for user johanna
2017-09-10 13:57:38,831 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on *:*@*
2017-09-10 13:57:38,831 Trac[authz_policy] DEBUG: *:*@* matched section *:*@* for user johanna
2017-09-10 13:57:38,832 Trac[perm] DEBUG: No policy allowed johanna performing WIKI_VIEW on None

and this for TIMELINE (note the None at the end):

2017-09-10 13:14:24,654 Trac[authz_policy] DEBUG: Checking TIMELINE_VIEW on timeline:*@*                                            
2017-09-10 13:14:24,655 Trac[authz_policy] DEBUG: timeline:*@* matched section timeline:*@* for user johanna                       
2017-09-10 13:14:24,658 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on *:*@*                                                                  
2017-09-10 13:14:24,658 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user johanna
2017-09-10 13:14:24,659 Trac[perm] DEBUG: No policy allowed johanna performing WIKI_VIEW on None

I tried with [timeline:*] and [search:*] as resources but it didn't worked.

So, I went to check the code and I found that the resource is None at this file https://trac.edgewall.org/browser/trunk/trac/perm.py#L518 and it's passed as None to https://trac.edgewall.org/browser/trunk/tracopt/perm/authz_policy.py#L143.

For some reason, the resource is marked as None so there is no way to catch it (I also tried with [None] :)

I'm using this python package versions

Genshi==0.7
Pygments==2.2.0
Trac==1.2.2
## FIXME: could not find svn URL in dependency_links for this package:
TracSectionEditPlugin==0.2.6-r11208
argparse==1.2.1
click==6.7
configobj==5.0.6
docutils==0.14
pur==4.0.2
regex==2017.07.28
six==1.10.0
textile==2.3.16
wsgiref==0.1.2

Please, let me know if I can add more information.

Thanks!

[Ryan J Ollos]

The following are equivalent to make the TimelineModule and SearchModule visible:

1. Use the coarse-grained permissions system (DefaultPermissionPolicy) to grant SEARCH_VIEW and TIMELINE_VIEW. When there are no matches for AuthzPolicy, DefaultPermissionPolicy is consulted.
2. Add the following to the end of the authz configuration file.

   [*]
   authenticated = SEARCH_VIEW, TIMELINE_VIEW
   

Most things will work fine if you use the fine-grained permissions system to revoke permissions and fallback to the normal coarse-grained permissions system. For example, revoking WIKI_VIEW on a set of pages and using coarse-grained WIKI_VIEW to grant view access to all except that set:

[wiki:PrivatePages/*]
authenticated = WIKI_VIEW
anonymous = !WIKI_VIEW

$ trac-admin ../tracenvs/proj-1.2-1 permission list anonymous

User       Action
------------------------
anonymous  SEARCH_VIEW
anonymous  TIMELINE_VIEW
anonymous  WIKI_VIEW

With these permissions anonymous can search and see pages in the timeline, except those under /wiki/PrivatesPages. The timeline and search results for an unrestricted user show modifications to /wiki/PrivatePages/PageOne and /wiki/PrivatePages/PageTwo, but they are not shown to the user with restricted privileges:

You can also selectively grant permissions to resources and revoke from all others, and things work fine as long as you keep the coarse-grained permissions as the fallback for SearchModule and TimelineModule:

[wiki:WikiStart]
anonymous = WIKI_VIEW

[wiki:*]
* =

$ trac-admin ../tracenvs/proj-1.2-1 permission list anonymous

User       Action
------------------------
anonymous  SEARCH_VIEW
anonymous  TIMELINE_VIEW
anonymous  WIKI_VIEW

The WIKI navigation item will be visible, but only WikiStart will be viewable by anonymous. Timeline events and search results will be shown for WikiStart.

The reason for the WIKI_VIEW on None message is that a realm or resource is not specified in the permissions check in get_search_filters​, and similarly for get_timeline_filters.

More work is needed to support AuthzPolicy rules for realms like search and timeline. We've been chipping away at this for many releases (#11069, #11176, #11986), but there's more work to do.

The following policy could be used with some changes ([d89fd1c95/rjollos.git]). More work is needed to address realms other than wiki.

[search:*]
anonymous = SEARCH_VIEW, WIKI_VIEW

[timeline:*]
anonymous = TIMELINE_VIEW, WIKI_VIEW

However, with careful manipulation of the coarse- and fine-grained permission policies you can probably accomplish what you need without waiting for those changes to land. If you share your authz configuration I can provide more specific advice.

[Ryan J Ollos]

Let me know if you arrive at a solution or need additional pointers. Provided we can get it working for you, I will defer this ticket to a major release since I don't particularly like changing the behavior for minor releases. I am still considering the proper behavior and I think we'll need more extensive examples for the TracFineGrainedPermissions page.

Replying to humitos@…:

## FIXME: could not find svn URL in dependency_links for this package:
TracSectionEditPlugin==0.2.6-r11208

If you have a requirements.txt for installing with pip you can use: svn+https://trac-hacks.org/svn/sectioneditplugin/1.2/.

[Ryan J Ollos]

Milestone renamed

[Ryan J Ollos]

Milestone renamed