Edgewall Software
Modify

Opened 12 years ago

Last modified 9 months ago

#6644 new defect

Authz_policy plugin doesn't work with [*]

Reported by: anonymous Owned by:
Priority: normal Milestone: next-stable-1.2.x
Component: general Version: 0.11b1
Severity: normal Keywords: permissions authzpolicy
Cc: benjamin@…, leho@… Branch:
Release Notes:
API Changes:

Description

normalise_resource returns None for "blank" resources, and authz_permissions doesn't understand None as [*]

Attachments (1)

authz_policy.patch (582 bytes ) - added by anonymous 12 years ago.
very very simple patch

Download all attachments as: .zip

Change History (19)

by anonymous, 12 years ago

Attachment: authz_policy.patch added

very very simple patch

comment:1 by Alec Thomas, 12 years ago

normalise_resource returns '' for blank resources in the test cases I've tried. eg.

>>> r = Resource()
>>> AuthzPolicy.normalise_resource(r)
''
>>> r = None
>>> AuthzPolicy.normalise_resource(r)
''

Can you provide an example of how this is causing problems?

comment:2 by Alec Thomas, 12 years ago

Owner: changed from Jonas Borgström to Alec Thomas
Status: newassigned

in reply to:  1 comment:3 by anonymous, 12 years ago

My fault… it returns ' ', but authz_permissions doesn't understand ' ' as [*]…
Example:
Remove all permissions from trac.db
Use this authzpolicy.conf:

[*]
* = TIMELINE_VIEW

It's not work as expected: I'm not able to see /timeline (trac says: no TIMELINE_VIEW privilege)

comment:4 by Alec Thomas, 12 years ago

Resolution: worksforme
Status: assignedclosed

Are you sure you're running the latest version of authz_policy? This works for me:

[*]
* = WIKI_VIEW

And here's the corresponding log entry:

2008-01-18 00:06:45,332 Trac[authz_policy] DEBUG: wiki:WikiStart@* matched section *@* for user athomas

I'm going to close this ticket for now.

comment:5 by anonymous, 12 years ago

Resolution: worksforme
Status: closedreopened

I use authz_polcy r6326, all permissions on db removed.

This works on /wiki:

[*]
* = WIKI_VIEW

This doesn't work on /timeline (TIMELINE_VIEW privileges are required to perform this operation):

[*]
* = TIMELINE_VIEW

This doesn't work on /roadmap (MILESTONE_VIEW privileges are required to perform this operation):

[*]
* = MILESTONE_VIEW, ROADMAP_VIEW

comment:6 by benjamin@…, 11 years ago

Cc: benjamin@… added

There are two problems AFAIK. One is that if the resource is None, and the other one, that the permissions are not expanded correctly (ticket #7467).

Now if the resource is None, then the normalized_resource is just an empty string. This will not match against the [*] entry, because @* is appended. And *@* does not match an empty string.

comment:7 by Christian Boos, 11 years ago

Milestone: 0.11.20.11.3

comment:8 by lkraav <leho@…>, 10 years ago

Cc: leho@… added

comment:9 by lkraav <leho@…>, 10 years ago

i am apparently struggling with this now on 0.12b1, trying to restrict access to only SomeSection and provide a Timeline view to only that section.

comment:10 by lkraav <leho@…>, 10 years ago

authzpolicy.conf:

[groups]
externals = linda

[wiki:SomeSection*]
linda = WIKI_CREATE, WIKI_MODIFY, WIKI_VIEW

[*]
@externals = TIMELINE_VIEW

results in (0.12b1 r9596):

2010-05-07 12:30:52,131 Trac[main] ERROR: Internal Server Error:
Traceback (most recent call last):
  File "/secure/trac/0.12-2.6/trac-src/trac/web/main.py", line 512, in _dispatch_request
    dispatcher.dispatch(req)
  File "/secure/trac/0.12-2.6/trac-src/trac/web/main.py", line 233, in dispatch
    resp = chosen_handler.process_request(req)
  File "/secure/trac/0.12-2.6/trac-src/trac/timeline/web_ui.py", line 135, in process_request
    available_filters += event_provider.get_timeline_filters(req)
TypeError: 'NoneType' object is not iterable

comment:11 by lkraav <leho@…>, 10 years ago

ok since i can't edit comments, im going to have to repost the debug log in more detail.

------------------------------------------------------------------------------2010/05/07 15:04:42------------------------------------------------------------------------------
2010-05-07 15:04:44,024 Trac[main] DEBUG: Dispatching <Request "GET '/timeline'">
2010-05-07 15:04:44,025 Trac[session] DEBUG: Retrieving session for ID 'linda'
2010-05-07 15:04:44,027 Trac[authz_policy] DEBUG: Checking TIMELINE_VIEW on *:*@*
2010-05-07 15:04:44,027 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:04:44,029 Trac[authz_policy] DEBUG: Checking TICKET_VIEW on *:*@*
2010-05-07 15:04:44,029 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:04:44,031 Trac[perm] DEBUG: No policy allowed linda performing TICKET_VIEW on None
2010-05-07 15:04:44,031 Trac[authz_policy] DEBUG: Checking CHANGESET_VIEW on *:*@*
2010-05-07 15:04:44,032 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:04:44,032 Trac[perm] DEBUG: No policy allowed linda performing CHANGESET_VIEW on None
2010-05-07 15:04:44,036 Trac[main] ERROR: Internal Server Error:
Traceback (most recent call last):
  File "/secure/trac/0.12-2.6/trac-src/trac/web/main.py", line 512, in _dispatch_request
    dispatcher.dispatch(req)
  File "/secure/trac/0.12-2.6/trac-src/trac/web/main.py", line 233, in dispatch
    resp = chosen_handler.process_request(req)
  File "/secure/trac/0.12-2.6/trac-src/trac/timeline/web_ui.py", line 135, in process_request
    available_filters += event_provider.get_timeline_filters(req)
TypeError: 'NoneType' object is not iterable
2010-05-07 15:16:42,890 Trac[authz_policy] DEBUG: Checking TRAC_ADMIN on *:*@*
2010-05-07 15:16:42,890 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,891 Trac[perm] DEBUG: No policy allowed linda performing TRAC_ADMIN on None
2010-05-07 15:16:42,891 Trac[chrome] DEBUG: Prepare chrome data for request
2010-05-07 15:16:42,892 Trac[authz_policy] DEBUG: Checking TICKET_CREATE on *:*@*
2010-05-07 15:16:42,892 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,893 Trac[perm] DEBUG: No policy allowed linda performing TICKET_CREATE on None
2010-05-07 15:16:42,893 Trac[authz_policy] DEBUG: Checking SEARCH_VIEW on *:*@*
2010-05-07 15:16:42,893 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,894 Trac[perm] DEBUG: No policy allowed linda performing SEARCH_VIEW on None
2010-05-07 15:16:42,895 Trac[authz_policy] DEBUG: Checking BROWSER_VIEW on repository:*@*/source:/@*
2010-05-07 15:16:42,895 Trac[authz_policy] DEBUG: repository:*@*/source:/@* matched section *@* for user linda
2010-05-07 15:16:42,895 Trac[perm] DEBUG: No policy allowed linda performing BROWSER_VIEW on <Resource u'repository, source:/'>
2010-05-07 15:16:42,896 Trac[authz_policy] DEBUG: Checking PERMISSION_GRANT on *:*@*
2010-05-07 15:16:42,896 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,897 Trac[perm] DEBUG: No policy allowed linda performing PERMISSION_GRANT on None
2010-05-07 15:16:42,897 Trac[authz_policy] DEBUG: Checking PERMISSION_REVOKE on *:*@*
2010-05-07 15:16:42,897 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,898 Trac[perm] DEBUG: No policy allowed linda performing PERMISSION_REVOKE on None
2010-05-07 15:16:42,898 Trac[authz_policy] DEBUG: Checking TICKET_ADMIN on *:*@*
2010-05-07 15:16:42,898 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,898 Trac[perm] DEBUG: No policy allowed linda performing TICKET_ADMIN on None
2010-05-07 15:16:42,899 Trac[authz_policy] DEBUG: Checking MILESTONE_VIEW on *:*@*
2010-05-07 15:16:42,899 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,899 Trac[perm] DEBUG: No policy allowed linda performing MILESTONE_VIEW on None
2010-05-07 15:16:42,900 Trac[authz_policy] DEBUG: Checking VERSIONCONTROL_ADMIN on *:*@*
2010-05-07 15:16:42,900 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,900 Trac[perm] DEBUG: No policy allowed linda performing VERSIONCONTROL_ADMIN on None
2010-05-07 15:16:42,901 Trac[authz_policy] DEBUG: Checking BLOG_ADMIN on blog:*@*
2010-05-07 15:16:42,901 Trac[authz_policy] DEBUG: blog:*@* matched section *@* for user linda
2010-05-07 15:16:42,901 Trac[perm] DEBUG: No policy allowed linda performing BLOG_ADMIN on <Resource 'blog'>
2010-05-07 15:16:42,902 Trac[authz_policy] DEBUG: Checking ROADMAP_VIEW on *:*@*
2010-05-07 15:16:42,902 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,903 Trac[perm] DEBUG: No policy allowed linda performing ROADMAP_VIEW on None
2010-05-07 15:16:42,903 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on wiki:*@*
2010-05-07 15:16:42,904 Trac[authz_policy] DEBUG: wiki:*@* matched section *@* for user linda
2010-05-07 15:16:42,904 Trac[perm] DEBUG: No policy allowed linda performing WIKI_VIEW on <Resource 'wiki'>
2010-05-07 15:16:42,904 Trac[authz_policy] DEBUG: Checking BLOG_VIEW on blog:*@*
2010-05-07 15:16:42,905 Trac[authz_policy] DEBUG: blog:*@* matched section *@* for user linda
2010-05-07 15:16:42,905 Trac[perm] DEBUG: No policy allowed linda performing BLOG_VIEW on <Resource 'blog'>
2010-05-07 15:16:42,905 Trac[authz_policy] DEBUG: Checking EMAIL_VIEW on *:*@*
2010-05-07 15:16:42,906 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,906 Trac[perm] DEBUG: No policy allowed linda performing EMAIL_VIEW on None

when i give CHANGESET_VIEW in defaultpermissionpolicy, then at least timeline won't crash. but why are we crashing way before we are even checking for WIKI_VIEW in any capacity?

comment:12 by benjamin@…, 10 years ago

I created an implementation that works in this case. Not sure what exactly I needed to change though. (It also works around another bug in the public api with expand_actions, iirc. However that one is fixed in 0.12)

http://git.sipsolutions.net/?p=joomlaplugin.git;a=blob;f=0.11/joomla/authz_policy.py;h=cf28bdf42f4beba7ab4da3d6d67ba930fe4abe2e;hb=HEAD

comment:13 by lkraav <leho@…>, 10 years ago

comment:6:ticket:9316 r9645 helps, we are not crashing anymore when user does not have CHANGESET_VIEW. timeline can be viewed even with no filter providers listed on the right.

i guess now it's possible to focus on the original problem.

benjamin, i'm working through a diff of your authz_policy against tracopt trunk one to figure out how you've made this work.

comment:14 by lkraav <leho@…>, 10 years ago

from what i gather, Timeline checks for WIKI_VIEW on wiki:*@* first. if that fails it won't even check permissions for any subpages that are within specified time range and are otherwise available with AuthzPolicy permissions. this seems to be some kind of a defect, although not necessarily what this ticket is about.

some guidance on whether to continue here or file a new one would be helpful. also, some deeper core insight on how to make this work would be helpful :)

comment:15 by Ryan J Ollos, 5 years ago

Keywords: authzpolicy added

comment:16 by Ryan J Ollos, 5 years ago

Milestone: next-minor-0.12.xnext-stable-1.0.x

comment:17 by Ryan J Ollos, 4 years ago

Owner: Alec Thomas removed
Status: reopenednew

comment:18 by Ryan J Ollos, 3 years ago

Milestone: next-stable-1.0.xnext-stable-1.2.x

Moved ticket assigned to next-stable-1.0.x since maintenance of 1.0.x is coming to a close. Please move the ticket back if it's critical to fix on 1.0.x.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned. Next status will be 'new'.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.