Authz_policy plugin doesn't work with [*]

[anonymous]

normalise_resource returns None for "blank" resources, and authz_permissions doesn't understand None as [*]

[anonymous]

very very simple patch

[Alec Thomas]

normalise_resource returns '' for blank resources in the test cases I've tried. eg.

>>> r = Resource()
>>> AuthzPolicy.normalise_resource(r)
''
>>> r = None
>>> AuthzPolicy.normalise_resource(r)
''

Can you provide an example of how this is causing problems?

[anonymous]

My fault… it returns ' ', but authz_permissions doesn't understand ' ' as [*]…
Example:
Remove all permissions from trac.db
Use this authzpolicy.conf:

[*]
* = TIMELINE_VIEW

It's not work as expected: I'm not able to see /timeline (trac says: no TIMELINE_VIEW privilege)

[Alec Thomas]

Are you sure you're running the latest version of authz_policy? This works for me:

[*]
* = WIKI_VIEW

And here's the corresponding log entry:

2008-01-18 00:06:45,332 Trac[authz_policy] DEBUG: wiki:WikiStart@* matched section *@* for user athomas

I'm going to close this ticket for now.

[anonymous]

I use authz_polcy r6326, all permissions on db removed.

This works on /wiki:

[*]
* = WIKI_VIEW

This doesn't work on /timeline (TIMELINE_VIEW privileges are required to perform this operation):

[*]
* = TIMELINE_VIEW

This doesn't work on /roadmap (MILESTONE_VIEW privileges are required to perform this operation):

[*]
* = MILESTONE_VIEW, ROADMAP_VIEW

[benjamin@…]

There are two problems AFAIK. One is that if the resource is None, and the other one, that the permissions are not expanded correctly (ticket #7467).

Now if the resource is None, then the normalized_resource is just an empty string. This will not match against the [*] entry, because @* is appended. And *@* does not match an empty string.

[lkraav <leho@…>]

i am apparently struggling with this now on 0.12b1, trying to restrict access to only SomeSection and provide a Timeline view to only that section.

[lkraav <leho@…>]

authzpolicy.conf:

[groups]
externals = linda

[wiki:SomeSection*]
linda = WIKI_CREATE, WIKI_MODIFY, WIKI_VIEW

[*]
@externals = TIMELINE_VIEW

results in (0.12b1 r9596):

2010-05-07 12:30:52,131 Trac[main] ERROR: Internal Server Error:
Traceback (most recent call last):
  File "/secure/trac/0.12-2.6/trac-src/trac/web/main.py", line 512, in _dispatch_request
    dispatcher.dispatch(req)
  File "/secure/trac/0.12-2.6/trac-src/trac/web/main.py", line 233, in dispatch
    resp = chosen_handler.process_request(req)
  File "/secure/trac/0.12-2.6/trac-src/trac/timeline/web_ui.py", line 135, in process_request
    available_filters += event_provider.get_timeline_filters(req)
TypeError: 'NoneType' object is not iterable

[lkraav <leho@…>]

ok since i can't edit comments, im going to have to repost the debug log in more detail.

------------------------------------------------------------------------------2010/05/07 15:04:42------------------------------------------------------------------------------
2010-05-07 15:04:44,024 Trac[main] DEBUG: Dispatching <Request "GET '/timeline'">
2010-05-07 15:04:44,025 Trac[session] DEBUG: Retrieving session for ID 'linda'
2010-05-07 15:04:44,027 Trac[authz_policy] DEBUG: Checking TIMELINE_VIEW on *:*@*
2010-05-07 15:04:44,027 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:04:44,029 Trac[authz_policy] DEBUG: Checking TICKET_VIEW on *:*@*
2010-05-07 15:04:44,029 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:04:44,031 Trac[perm] DEBUG: No policy allowed linda performing TICKET_VIEW on None
2010-05-07 15:04:44,031 Trac[authz_policy] DEBUG: Checking CHANGESET_VIEW on *:*@*
2010-05-07 15:04:44,032 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:04:44,032 Trac[perm] DEBUG: No policy allowed linda performing CHANGESET_VIEW on None
2010-05-07 15:04:44,036 Trac[main] ERROR: Internal Server Error:
Traceback (most recent call last):
  File "/secure/trac/0.12-2.6/trac-src/trac/web/main.py", line 512, in _dispatch_request
    dispatcher.dispatch(req)
  File "/secure/trac/0.12-2.6/trac-src/trac/web/main.py", line 233, in dispatch
    resp = chosen_handler.process_request(req)
  File "/secure/trac/0.12-2.6/trac-src/trac/timeline/web_ui.py", line 135, in process_request
    available_filters += event_provider.get_timeline_filters(req)
TypeError: 'NoneType' object is not iterable
2010-05-07 15:16:42,890 Trac[authz_policy] DEBUG: Checking TRAC_ADMIN on *:*@*
2010-05-07 15:16:42,890 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,891 Trac[perm] DEBUG: No policy allowed linda performing TRAC_ADMIN on None
2010-05-07 15:16:42,891 Trac[chrome] DEBUG: Prepare chrome data for request
2010-05-07 15:16:42,892 Trac[authz_policy] DEBUG: Checking TICKET_CREATE on *:*@*
2010-05-07 15:16:42,892 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,893 Trac[perm] DEBUG: No policy allowed linda performing TICKET_CREATE on None
2010-05-07 15:16:42,893 Trac[authz_policy] DEBUG: Checking SEARCH_VIEW on *:*@*
2010-05-07 15:16:42,893 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,894 Trac[perm] DEBUG: No policy allowed linda performing SEARCH_VIEW on None
2010-05-07 15:16:42,895 Trac[authz_policy] DEBUG: Checking BROWSER_VIEW on repository:*@*/source:/@*
2010-05-07 15:16:42,895 Trac[authz_policy] DEBUG: repository:*@*/source:/@* matched section *@* for user linda
2010-05-07 15:16:42,895 Trac[perm] DEBUG: No policy allowed linda performing BROWSER_VIEW on <Resource u'repository, source:/'>
2010-05-07 15:16:42,896 Trac[authz_policy] DEBUG: Checking PERMISSION_GRANT on *:*@*
2010-05-07 15:16:42,896 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,897 Trac[perm] DEBUG: No policy allowed linda performing PERMISSION_GRANT on None
2010-05-07 15:16:42,897 Trac[authz_policy] DEBUG: Checking PERMISSION_REVOKE on *:*@*
2010-05-07 15:16:42,897 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,898 Trac[perm] DEBUG: No policy allowed linda performing PERMISSION_REVOKE on None
2010-05-07 15:16:42,898 Trac[authz_policy] DEBUG: Checking TICKET_ADMIN on *:*@*
2010-05-07 15:16:42,898 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,898 Trac[perm] DEBUG: No policy allowed linda performing TICKET_ADMIN on None
2010-05-07 15:16:42,899 Trac[authz_policy] DEBUG: Checking MILESTONE_VIEW on *:*@*
2010-05-07 15:16:42,899 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,899 Trac[perm] DEBUG: No policy allowed linda performing MILESTONE_VIEW on None
2010-05-07 15:16:42,900 Trac[authz_policy] DEBUG: Checking VERSIONCONTROL_ADMIN on *:*@*
2010-05-07 15:16:42,900 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,900 Trac[perm] DEBUG: No policy allowed linda performing VERSIONCONTROL_ADMIN on None
2010-05-07 15:16:42,901 Trac[authz_policy] DEBUG: Checking BLOG_ADMIN on blog:*@*
2010-05-07 15:16:42,901 Trac[authz_policy] DEBUG: blog:*@* matched section *@* for user linda
2010-05-07 15:16:42,901 Trac[perm] DEBUG: No policy allowed linda performing BLOG_ADMIN on <Resource 'blog'>
2010-05-07 15:16:42,902 Trac[authz_policy] DEBUG: Checking ROADMAP_VIEW on *:*@*
2010-05-07 15:16:42,902 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,903 Trac[perm] DEBUG: No policy allowed linda performing ROADMAP_VIEW on None
2010-05-07 15:16:42,903 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on wiki:*@*
2010-05-07 15:16:42,904 Trac[authz_policy] DEBUG: wiki:*@* matched section *@* for user linda
2010-05-07 15:16:42,904 Trac[perm] DEBUG: No policy allowed linda performing WIKI_VIEW on <Resource 'wiki'>
2010-05-07 15:16:42,904 Trac[authz_policy] DEBUG: Checking BLOG_VIEW on blog:*@*
2010-05-07 15:16:42,905 Trac[authz_policy] DEBUG: blog:*@* matched section *@* for user linda
2010-05-07 15:16:42,905 Trac[perm] DEBUG: No policy allowed linda performing BLOG_VIEW on <Resource 'blog'>
2010-05-07 15:16:42,905 Trac[authz_policy] DEBUG: Checking EMAIL_VIEW on *:*@*
2010-05-07 15:16:42,906 Trac[authz_policy] DEBUG: *:*@* matched section *@* for user linda
2010-05-07 15:16:42,906 Trac[perm] DEBUG: No policy allowed linda performing EMAIL_VIEW on None

when i give CHANGESET_VIEW in defaultpermissionpolicy, then at least timeline won't crash. but why are we crashing way before we are even checking for WIKI_VIEW in any capacity?

[benjamin@…]

I created an implementation that works in this case. Not sure what exactly I needed to change though. (It also works around another bug in the public api with expand_actions, iirc. However that one is fixed in 0.12)

​http://git.sipsolutions.net/?p=joomlaplugin.git;a=blob;f=0.11/joomla/authz_policy.py;h=cf28bdf42f4beba7ab4da3d6d67ba930fe4abe2e;hb=HEAD

[lkraav <leho@…>]

comment:6:ticket:9316 r9645 helps, we are not crashing anymore when user does not have CHANGESET_VIEW. timeline can be viewed even with no filter providers listed on the right.

i guess now it's possible to focus on the original problem.

benjamin, i'm working through a diff of your authz_policy against tracopt trunk one to figure out how you've made this work.

[lkraav <leho@…>]

from what i gather, Timeline checks for WIKI_VIEW on wiki:*@* first. if that fails it won't even check permissions for any subpages that are within specified time range and are otherwise available with AuthzPolicy permissions. this seems to be some kind of a defect, although not necessarily what this ticket is about.

some guidance on whether to continue here or file a new one would be helpful. also, some deeper core insight on how to make this work would be helpful :)

[Ryan J Ollos]

Moved ticket assigned to next-stable-1.0.x since maintenance of 1.0.x is coming to a close. Please move the ticket back if it's critical to fix on 1.0.x.

[Ryan J Ollos]

Milestone renamed