[PATCH] Use permission system to store groups for authz access control
|Reported by:||Owned by:|
|Severity:||normal||Keywords:||patch svnauthz authzsourcepolicy|
We're currently using LDAP to store our users and groups. Our problem with using Subversion-style authz files for restricting access in Trac is that we'd have to define group memberships again in the authz file itself - thus we'd have to manage group memberships twice: Once in LDAP, once in the authz file (we're currently NOT using an authz file for Subversion itself for exactly this reason - we're doing it the "hard way" via Apache configuration instead). Basically, this issue is #4224 the other way 'round.
In this context, it would be great if the authz module could simply use the built-in permission system of Trac to retrieve the groups a user belongs to - and not the authz file.
I've written a patch that adds a configuration option authz_use_perm_groups that's false by default, resulting in the current behaviour. If set to true, Trac will not care about the groups section of the authz file and use the PermissionSystem to retrieve the group names instead (currently by fetching all lower-case permissions for the current user and stripping an eventual @ in front of the group name). I don't know much about the internal design of Trac so my code is probably quite ugly - but at least it works. Feel free to find a nicer solution. :-)
Please note that this patch would interfere with #4997 since Subversion itself does not implement any of this.