Edgewall Software
Modify

Opened 13 years ago

Closed 12 years ago

Last modified 12 years ago

#8445 closed defect (fixed)

authz_policy receives 'None' as resource

Reported by: funsheep@… Owned by: Remy Blank
Priority: normal Milestone: 0.12
Component: general Version: 0.11.5
Severity: normal Keywords: authzpolicy verify
Cc: admin@… Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Christian Boos)

I'm running a trac 0.11.4 system on an apache2 server. I wanted to have the permissions checked by the AuthzPolicy. I have

  • added the authz_policy field to the trac.ini and a correct path to an authz.conf file
  • i have enabled the plugin (and for testing purposes disabled all other plugins)
  • i have set permission_policies = AuthzPolicy
  • authz_policy.py loaded from authz_policy.py - as stated on the website
  • The trac installation is a fresh one, without editing anything. Trac was installed with easy_install
  • The environment is also a fresh one
    • There is a global trac.ini defining the standard permission_policies among other things
    • And there is a environment specific trac.ini overwriting some of the definitions

My authz.conf looks like:

# vim: syntax=dosini

[groups]

administrator = me

developer = dev1, dev2, dev3

# Match everything else

[*]

@administrator = TRAC_ADMIN
anonymous = BLOG_VIEW, BROWSER_VIEW, CHANGESET_VIEW, FILE_VIEW, LOG_VIEW, MILESTONE_VIEW, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_VIEW, SEARCH_VIEW, TICKET_VIEW, TIMELINE_VIEW, WIKI_VIEW

authenticated =  POLL_VOTE, TICKET_APPEND, TICKET_CREATE
@developer =  BLOG_CREATE, BLOG_MODIFY_OWN, WIKI_CREATE, WIKI_DELETE, WIKI_MODIFY, XML_RPC

After reloading the apache i'm not able to see anything but the wiki (blog plugin is disabled).

After checking the log, i found this entry

2009-07-03 12:50:00,462 Trac[authz_policy] DEBUG: Checking REPORT_VIEW on 

I then added some more debug-lines to the .py file and found this

        self.log.debug('Checking %s on %s (unnormalized)', action, resource)

gives

2009-07-03 12:50:00,461 Trac[authz_policy] DEBUG: Checking SEARCH_VIEW on None (unnormalized)

And fnmatch between '' and '*@*' (resource_glob) in line 216 returns false.

Some of the permission checks work (therefore i know that the setup is ok). From the log

2009-07-03 12:50:00,458 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on <Resource 'wiki'> (unnormalized)
2009-07-03 12:50:00,458 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on wiki:*@*
2009-07-03 12:50:00,459 Trac[authz_policy] DEBUG: Resource glob *@*
2009-07-03 12:50:00,459 Trac[authz_policy] DEBUG: fnmatch gives: True
2009-07-03 12:50:00,459 Trac[authz_policy] DEBUG: wiki:*@* matched section *@* for user funsheep

Attachments (2)

authz_policy.py.patch (609 bytes ) - added by admin@… 12 years ago.
patch for empty resource
8445-resource-key-r9250.patch (1.4 KB ) - added by Remy Blank 12 years ago.
Fix key for empty resources.

Download all attachments as: .zip

Change History (18)

comment:1 by Christian Boos, 13 years ago

Description: modified (diff)
Keywords: authzpolicy verify added
Summary: authz_policy recieves 'None' as recourceauthz_policy receives 'None' as resource

Normally checking against "None" means "is the permission granted in general", so this shouldn't be problematic.

What happens if you add the TICKET_VIEW in the permissions?

comment:2 by Christian Boos, 12 years ago

Keywords: needinfo added

comment:3 by anonymous, 12 years ago

anonymous does already have the TICKET_VIEW permission (according to the policy file).

To me it seems that the authz_policy.py does not correctly handle the case of the 'None' resource.

comment:4 by anonymous, 12 years ago

I have now verified that this problem also exists with trac v0.11.5. (Just installed it).

comment:5 by Christian Boos, 12 years ago

Keywords: needinfo removed
Milestone: 0.12
Owner: set to Christian Boos

comment:6 by Christian Boos, 12 years ago

Milestone: 0.12
Resolution: worksforme
Status: newclosed

Works for me now. Probably r8786 also helped here, as anonymous is also listed before authenticated in the provided authzpolicy.conf.

No issue with None seen either.

comment:7 by admin@…, 12 years ago

Resolution: worksforme
Status: closedreopened
Version: 0.11.40.11.5

I've just encountered this problem on trac 0.11.6 RC1 my authz.conf file contained simply the following

[*]
* = TRAC_ADMIN

Which should grant everyone TRAC_ADMIN

It threw up the following errors

2009-11-24 11:31:20,917 Trac[authz_policy] DEBUG: Checking TICKET_CREATE on 
2009-11-24 11:31:20,917 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_CREATE on None

(That's just a sample the log was pretty long)

The problem seems to be because the resource_ket in authz_policy.py is an empty string so doesn't match anything in authz.conf file.

I added the following to the file under authz_permissions

        if resource_key == '':
        	resource_key = '*@*'
        	self.env.log.debug('Empty resource_key')

by admin@…, 12 years ago

Attachment: authz_policy.py.patch added

patch for empty resource

comment:8 by admin@…, 12 years ago

Cc: admin@… added

I've attached a patch for the file.

comment:9 by Remy Blank, 12 years ago

OT: Weird, the patch above seems to be rendered with Enscript in the preview…

in reply to:  9 comment:10 by Christian Boos, 12 years ago

Milestone: 0.12
Status: reopenednew

Replying to rblank:

OT: Weird, the patch above seems to be rendered with Enscript in the preview…

It's not an unified diff, but a context diff.

I'll verify the issue.

by Remy Blank, 12 years ago

Fix key for empty resources.

comment:11 by Remy Blank, 12 years ago

The patch above has the same effect, but feels slightly less hackish. OTOH, looking at auth_policy.py, I feel there is much to be improved there, both in terms of correctness and performance.

Review appreciated.

Last edited 12 years ago by Remy Blank (previous) (diff)

comment:12 by Christian Boos, 12 years ago

Patch looks good (but the second chunk is not needed, is it?)

in reply to:  12 ; comment:13 by Remy Blank, 12 years ago

Replying to cboos:

(but the second chunk is not needed, is it?)

It's not needed to solve this issue, but I feel it reads better. Also, it avoids creating two lists in the "authenticated" case.

in reply to:  13 comment:14 by Christian Boos, 12 years ago

Replying to rblank:

Also, it avoids creating two lists in the "authenticated" case.

Ah yes, my criterion so far has been to avoid one unnecessary line, but this sure beats it ;-)

comment:15 by Remy Blank, 12 years ago

Resolution: fixed
Status: newclosed

Patch applied in [9345].

comment:16 by Remy Blank, 12 years ago

Owner: changed from Christian Boos to Remy Blank

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Remy Blank.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Remy Blank to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.