Edgewall Software
Modify

Opened 15 years ago

Closed 12 years ago

#834 closed enhancement (fixed)

Complete ACL management

Reported by: utopiste Owned by: Alec Thomas
Priority: normal Milestone: 0.11
Component: general Version: devel
Severity: normal Keywords: permission
Cc: fabien@…, mark@… Branch:
Release Notes:
API Changes:

Description

The Authz support inside trac do some work, we have some wiki not official patch, but we need a more robust ACL system.

Username or groups | Module  | Item       | Permission
-------------------+---------+------------+--------------
utopiste           | browser | /path/     | ReadWrite
utopiste           | report  | 4          | Read
utopiste           | wiki    | /secret    |
utopiste           | wiki    | /public    | ReadWrite
cmlenz             | browser | /branches/ | ReadWrite
authentified       | ticket  |            | ReadWrite
anonymous          |         |            | ReadOnly
anonymous          | wiki    | /public    | ReadWrite

The AuthzPerm class will be moving to a ACL class and trac will provide import support to load the auth_mod_authz file inside the db. in the first we can provide a trac-admin interface, but for the 1.0 version a web management interface can be created.

Attachments (0)

Change History (14)

comment:1 by utopiste, 15 years ago

Status: newassigned

comment:2 by Jonas Borgström, 15 years ago

But what's the point of storing the authz information in the db if subversion can't use it any longer?

comment:3 by anonymous, 15 years ago

i expect to support both, currently the ini file parsing is not optimised when file are very large and the directory contain a lot of file. the second reason is that i want a universal fine grained permission class. this feature is for the next release, i expect some discussion in the next week.

comment:4 by oohlaf @…, 15 years ago

Looks good, but it doesn't really make sense to have two different versions of permissions on browsing the repository. Why not cache it?

Parse the svn authz file and store it along with the last modified date in the database. If the permissions in that file are changed update the database again. Disable the ability to edit it directly in the database.

Or make a ini setting in trac to disable this, which would allow different access control through trac. Which only makes sense if the repository isn't directly accessable through webdav or svn.

comment:5 by oohlaf @…, 15 years ago

Are you also considering access control based on the component of a new ticket or report? For example, limit the creating of tickets for a certain component to a group op people. From the table above I see limiting reports based on it's number.

Something along the lines of:

Username or groups | Module  | Item             | Permission
-------------------+---------+------------------+--------------
authenticated      | report  | secretcomponent  |
authenticated      | ticket  | secretcomponent  |
utopiste           | report  | secretcomponent  | read
utopiste           | ticket  | secretcomponent  | readwrite

comment:6 by Christopher Lenz, 15 years ago

Milestone: 0.9

As I see it, this is definitely not going to happen for 0.9.

comment:7 by Christopher Lenz, 15 years ago

Severity: majorenhancement

comment:8 by Matthew Good, 14 years ago

#1586 has been marked as a duplicate of this ticket.

comment:9 by anonymous, 14 years ago

Cc: fabien@… added

comment:10 by anonymous, 14 years ago

Cc: mark@… added

comment:11 by Matthew Good, 13 years ago

Milestone: 0.11
Owner: changed from utopiste to alect
Status: assignednew

This should be supported as part of the PermissionPolicy work planned for 0.11. Alec: if you already have another ticket covering this it's probably safe to close this ticket.

comment:12 by anonymous, 13 years ago

Owner: changed from alect to Alec Thomas

(reassign owner to correct username)

comment:13 by sid, 13 years ago

Keywords: permission added; security removed

comment:14 by Alec Thomas, 12 years ago

Resolution: fixed
Status: newclosed

TracDev/SecurityBranch merged in r5514. A sample plugin implementing authz based access control is included as an example.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Alec Thomas.
The resolution will be deleted. Next status will be 'reopened'.
to as closed The owner will be changed from Alec Thomas to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.