Edgewall Software

Opened 18 years ago

Closed 17 years ago

Last modified 15 years ago

#157 closed defect (fixed)

Fine grained permissions

Reported by: anonymous Owned by: utopiste
Priority: normal Milestone: 0.8.1
Component: general Version: 0.6
Severity: normal Keywords: permission
Cc: pbaker@… Branch:
Release Notes:
API Changes:
Internal Changes:


We should (somehow) support more fine grained access control, a'la mod_authz_svn.

In fact, the configuration file format for authz is trivial, if not even directly compatible with python's configfile parser… We could maybe use that directly, that'd be quite easy to set up.

Attachments (2)

mod_authz_perm_p1.patch (6.7 KB ) - added by Utopiste 18 years ago.
First patch for mod_authz support
mod_authz_perm_p1.2.patch (9.3 KB ) - added by utopiste 18 years ago.
work on trunk, initial changeset support

Download all attachments as: .zip

Change History (22)

comment:1 by ben, 18 years ago

Severity: normalmajor

i just wanted to add that this missing feature can be a real showstopper. we're using subversion as a service for computer science projects or bachelor/master thesises at my university and these get stored in one repository with usage of mod_authz for fine grained permissions. the problem is not the browser itself which could certainly have some kind of access control via apache, but with the changesets in the timeline this is simply not possible. this way it is possible to look into source codes or thesises without having the proper permission. as a result it is not possible to use trac in a configuration like we have which is really a pity!

comment:2 by anonymous, 18 years ago

Priority: normalhigh

Not to mention if you are using it commercially…. Let's just say all the beneifts of providing external access to this cool tool would be much more than negated. This is the only showstopper I see so far, to our usage.

comment:3 by Jonas Borgström, 18 years ago

Milestone: 0.8

comment:4 by daniel, 18 years ago

Owner: changed from Jonas Borgström to utopiste
Status: newassigned

comment:5 by utopiste, 18 years ago

For more information about this feature consult the FineGrainedPermissions page

comment:6 by anonymous, 18 years ago

Milestone: 0.81.0

comment:7 by utopiste, 18 years ago

Oops… Trac detected an internal error: authz read privileges required to view this file

wouhou :) (ok currently only in File.py, but it's a beginning)

Primary release in few day

by Utopiste, 18 years ago

Attachment: mod_authz_perm_p1.patch added

First patch for mod_authz support

comment:8 by Jonas Borgström, 18 years ago

Cool, I'm looking forward to this feature.

comment:9 by Jonas Borgström, 18 years ago

Duh, just noticed your patch. It looks nice, is this something you would like to have merged into trunk right now?

by utopiste, 18 years ago

Attachment: mod_authz_perm_p1.2.patch added

work on trunk, initial changeset support

comment:10 by utopiste, 18 years ago

Initial changeset support

work on the latest trunk

comment:11 by Jonas Borgström, 18 years ago

Milestone: 1.00.8

Great work, moving this to 0.8

comment:12 by Jonas Borgström, 18 years ago

Patch merged into trunk.

A few comments:

  • It looks like the current authzperm.py only support sections of the format [repos-name:/path] and not [/path].
  • authz_file option in trac.ini should support relative filenames (relative to the env directory)
  • Should authz limit directory browser access as well?
  • It might be a good idea to load/parse the file when it's modified and not on every request. But ConfigParser might be fast enough for us…

comment:13 by MishaS, 18 years ago

I am checking trunk version of trac and it looks like the module does not seem to support authz groups.

comment:14 by pbaker@…, 18 years ago

Cc: pbaker@… added

I have set up an authz access file for my trac installation and this feature does not seem to work. Nothing is logged to the trac.log about it. You should add some logging for when this feature is detected and used. That would really help out.

comment:15 by daniel, 18 years ago

Should this be included in 0.8, or should we roll back the work so far and push it til 0.9?

How much work is still needed on this?

comment:16 by utopiste, 18 years ago

one limitation fixed in [967]

It looks like the current authzperm.py only support sections of the format [repos-name:/path] and not [/path].

if no authz_module_name= config in the IniFile we use path style section

comment:17 by utopiste, 18 years ago

Keywords: security added
Milestone: 0.80.9
Priority: highnormal
Severity: majornormal

This feature can be used in the 0.8 release. i changed the milestone date to 0.9 because i have some more work to put inside this features (think group support and ACL caching) and i dont want to close this ticket.

FineGrainedPermissions was also updated to reflect this.

comment:18 by utopiste, 18 years ago

initial Browser.py support in [968]

comment:19 by utopiste, 17 years ago

Resolution: fixed
Status: assignedclosed

with the last patch, should be enough stable to be used in the next version of trac

comment:20 by sid, 15 years ago

Keywords: permission added; security removed

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain utopiste.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from utopiste to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.