Project index should check permissions

[christian@…]

The project index generates a list of available projects by searching for subdirectories that happen to be valid trac environments. It simply tries to open those environments and (if that worked flawlessly) adds them to the list of projects.

see line 301 ff.​

It should however check if the current user actually has any permissions for the project before adding it to the list. A user needs at least WIKI_VIEW to view the project start page.

I'll prepare a patch to see if this works, but in the meantime I'd like to propose this as a feature request.

[Christopher Lenz]

First, we cannot assume that WIKI_VIEW is required to view a project. A project may have the wiki disabled, and the default handler set to the timeline, for example. So you'd probably have to check if the user has any permission on a project.

Second, in a “normal” Trac setup, authentication information is not available on the project index page. The only way to make it available would be to require authentication on the project index page itself, because the auth cookies are restricted to the individual project paths. Furthermore, the IAuthenticator system that determines how a username is detected is configured per project, so you'd probably need to jump through some hoops to make it work on the project index page.

All in all, I think this should wait for proper multi-project support, where we'll have a “global login”.

[andy@…]

christian,

If you are still wanting to work on this I would be happy to include it in my multi-project wrapper ​TraM. There the project index is at "…/all/projects" so we can utilize the authentication cookie for the "all" project.

Post a bug etc over on dev.rectang.com if you are interested etc ;)

Andy

[christian@…]

Christopher, as I wrote in my original request: It needs to check if the user (if any) actually has any permissions on the project in question. No logged in user would mean that "anonymous" needs to have any permissions. Of course you're right, the wiki start page just happens to be the first page by default, it could change eventually…

Talking about the login: Instead of configuring multiple …/login URLs, I simply protected the virtual host as a whole (since this is exactly what I need here). trac happily accepts this information, no need to click on "login", the user information is "just there". Why shouldn't it be possible to take the REMOTE_USER on the projects list page and see if he's got any permissions with those projects under TracEnvParentDir?