Opened 7 years ago
Last modified 3 years ago
#12912 new defect
AuthzPolicy fine permissions for timeline and search
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | normal | Milestone: | next-dev-1.7.x |
Component: | general | Version: | 1.2.2 |
Severity: | normal | Keywords: | authz, permissions |
Cc: | Branch: | ||
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
Hi,
I'm using trac for years now, and during all this time I've been using AuthzPolicy to define permissions. Today I noticed that all my users never saw the SEARCH and TIMELINE buttons, so I went my authzpolicy.conf
file and added this
[*] @administrators = TRAC_ADMIN authenticated = SEARCH_VIEW, TIMELINE_VIEW
but it didn't work.
Checking the logs I saw this for SEARCH (notice the None at the end)
2017-09-10 13:57:38,827 Trac[authz_policy] DEBUG: Checking SEARCH_VIEW on *:*@* 2017-09-10 13:57:38,828 Trac[authz_policy] DEBUG: *:*@* matched section *:*@* for user johanna 2017-09-10 13:57:38,831 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on *:*@* 2017-09-10 13:57:38,831 Trac[authz_policy] DEBUG: *:*@* matched section *:*@* for user johanna 2017-09-10 13:57:38,832 Trac[perm] DEBUG: No policy allowed johanna performing WIKI_VIEW on None
and this for TIMELINE (note the None at the end):
2017-09-10 13:14:24,654 Trac[authz_policy] DEBUG: Checking TIMELINE_VIEW on timeline:*@* 2017-09-10 13:14:24,655 Trac[authz_policy] DEBUG: timeline:*@* matched section timeline:*@* for user johanna 2017-09-10 13:14:24,658 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on *:*@* 2017-09-10 13:14:24,658 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user johanna 2017-09-10 13:14:24,659 Trac[perm] DEBUG: No policy allowed johanna performing WIKI_VIEW on None
I tried with [timeline:*]
and [search:*]
as resources but it didn't worked.
So, I went to check the code and I found that the resource
is None
at this file https://trac.edgewall.org/browser/trunk/trac/perm.py#L518 and it's passed as None
to https://trac.edgewall.org/browser/trunk/tracopt/perm/authz_policy.py#L143.
For some reason, the resource is marked as None
so there is no way to catch it (I also tried with [None]
:)
I'm using this python package versions
Genshi==0.7 Pygments==2.2.0 Trac==1.2.2 ## FIXME: could not find svn URL in dependency_links for this package: TracSectionEditPlugin==0.2.6-r11208 argparse==1.2.1 click==6.7 configobj==5.0.6 docutils==0.14 pur==4.0.2 regex==2017.07.28 six==1.10.0 textile==2.3.16 wsgiref==0.1.2
Please, let me know if I can add more information.
Thanks!
Attachments (2)
Change History (6)
by , 7 years ago
Attachment: | Screen Shot 2017-09-10 at 21.55.21.png added |
---|
by , 7 years ago
Attachment: | Screen Shot 2017-09-10 at 21.55.46.png added |
---|
comment:2 by , 7 years ago
Milestone: | → next-dev-1.3.x |
---|
Let me know if you arrive at a solution or need additional pointers. Provided we can get it working for you, I will defer this ticket to a major release since I don't particularly like changing the behavior for minor releases. I am still considering the proper behavior and I think we'll need more extensive examples for the TracFineGrainedPermissions page.
Replying to humitos@…:
## FIXME: could not find svn URL in dependency_links for this package: TracSectionEditPlugin==0.2.6-r11208
If you have a requirements.txt
for installing with pip
you can use: svn+https://trac-hacks.org/svn/sectioneditplugin/1.2/
.
The following are equivalent to make the
TimelineModule
andSearchModule
visible:DefaultPermissionPolicy
) to grantSEARCH_VIEW
andTIMELINE_VIEW
. When there are no matches forAuthzPolicy
,DefaultPermissionPolicy
is consulted.Most things will work fine if you use the fine-grained permissions system to revoke permissions and fallback to the normal coarse-grained permissions system. For example, revoking
WIKI_VIEW
on a set of pages and using coarse-grainedWIKI_VIEW
to grant view access to all except that set:With these permissions anonymous can search and see pages in the timeline, except those under
/wiki/PrivatesPages
:You can also selectively grant permissions to resources and revoke from all others, and things work fine as long as you keep the coarse-grained permissions as the fallback for
SearchModule
andTimelineModule
:$trac-admin ../tracenvs/proj-1.2-1 permission list anonymous User Action ------------------------ anonymous SEARCH_VIEW anonymous TIMELINE_VIEW anonymous WIKI_VIEW
With that, the WIKI navigation item will be visible, but only WikiStart will be viewable by anonymous. Timeline events and search results will be shown for WikiStart.
The reason for the
WIKI_VIEW on None
message is that a realm or resource is not specified in the permissions check in get_search_filters, and similarly forget_timeline_filters
.More work is needed to support
AuthzPolicy
rules for realms like search and timeline. We've been chipping away at this for many releases (#11069, #11176, #11986), but there's more work to do.The following policy could be used with some changes ([d89fd1c95/rjollos.git]). More work is needed to address realms other than
wiki
.However, with careful manipulation of the coarse- and fine-grained permission policies you can probably accomplish what you need without waiting for those changes to land. If you share your authz configuration I can provide more specific advice.