#8445 closed defect (fixed)
authz_policy receives 'None' as resource
| Reported by: | Owned by: | Remy Blank | |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.12 |
| Component: | general | Version: | 0.11.5 |
| Severity: | normal | Keywords: | authzpolicy verify |
| Cc: | admin@… | Branch: | |
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description (last modified by )
I'm running a trac 0.11.4 system on an apache2 server. I wanted to have the permissions checked by the AuthzPolicy. I have
- added the authz_policy field to the trac.ini and a correct path to an authz.conf file
- i have enabled the plugin (and for testing purposes disabled all other plugins)
- i have set permission_policies = AuthzPolicy
- authz_policy.py loaded from authz_policy.py - as stated on the website
- The trac installation is a fresh one, without editing anything. Trac was installed with easy_install
- The environment is also a fresh one
- There is a global trac.ini defining the standard permission_policies among other things
- And there is a environment specific trac.ini overwriting some of the definitions
My authz.conf looks like:
# vim: syntax=dosini [groups] administrator = me developer = dev1, dev2, dev3 # Match everything else [*] @administrator = TRAC_ADMIN anonymous = BLOG_VIEW, BROWSER_VIEW, CHANGESET_VIEW, FILE_VIEW, LOG_VIEW, MILESTONE_VIEW, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_VIEW, SEARCH_VIEW, TICKET_VIEW, TIMELINE_VIEW, WIKI_VIEW authenticated = POLL_VOTE, TICKET_APPEND, TICKET_CREATE @developer = BLOG_CREATE, BLOG_MODIFY_OWN, WIKI_CREATE, WIKI_DELETE, WIKI_MODIFY, XML_RPC
After reloading the apache i'm not able to see anything but the wiki (blog plugin is disabled).
After checking the log, i found this entry
2009-07-03 12:50:00,462 Trac[authz_policy] DEBUG: Checking REPORT_VIEW on
I then added some more debug-lines to the .py file and found this
self.log.debug('Checking %s on %s (unnormalized)', action, resource)
gives
2009-07-03 12:50:00,461 Trac[authz_policy] DEBUG: Checking SEARCH_VIEW on None (unnormalized)
And fnmatch between '' and '*@*' (resource_glob) in line 216 returns false.
Some of the permission checks work (therefore i know that the setup is ok). From the log
2009-07-03 12:50:00,458 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on <Resource 'wiki'> (unnormalized) 2009-07-03 12:50:00,458 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on wiki:*@* 2009-07-03 12:50:00,459 Trac[authz_policy] DEBUG: Resource glob *@* 2009-07-03 12:50:00,459 Trac[authz_policy] DEBUG: fnmatch gives: True 2009-07-03 12:50:00,459 Trac[authz_policy] DEBUG: wiki:*@* matched section *@* for user funsheep
Attachments (2)
Change History (18)
comment:1 by , 15 years ago
| Description: | modified (diff) |
|---|---|
| Keywords: | authzpolicy verify added |
| Summary: | authz_policy recieves 'None' as recource → authz_policy receives 'None' as resource |
comment:2 by , 15 years ago
| Keywords: | needinfo added |
|---|
comment:3 by , 15 years ago
anonymous does already have the TICKET_VIEW permission (according to the policy file).
To me it seems that the authz_policy.py does not correctly handle the case of the 'None' resource.
comment:4 by , 15 years ago
I have now verified that this problem also exists with trac v0.11.5. (Just installed it).
comment:5 by , 15 years ago
| Keywords: | needinfo removed |
|---|---|
| Milestone: | → 0.12 |
| Owner: | set to |
comment:6 by , 15 years ago
| Milestone: | 0.12 |
|---|---|
| Resolution: | → worksforme |
| Status: | new → closed |
Works for me now. Probably r8786 also helped here, as anonymous is also listed before authenticated in the provided authzpolicy.conf.
No issue with None seen either.
comment:7 by , 15 years ago
| Resolution: | worksforme |
|---|---|
| Status: | closed → reopened |
| Version: | 0.11.4 → 0.11.5 |
I've just encountered this problem on trac 0.11.6 RC1 my authz.conf file contained simply the following
[*] * = TRAC_ADMIN
Which should grant everyone TRAC_ADMIN
It threw up the following errors
2009-11-24 11:31:20,917 Trac[authz_policy] DEBUG: Checking TICKET_CREATE on 2009-11-24 11:31:20,917 Trac[perm] DEBUG: No policy allowed anonymous performing TICKET_CREATE on None
(That's just a sample the log was pretty long)
The problem seems to be because the resource_ket in authz_policy.py is an empty string so doesn't match anything in authz.conf file.
I added the following to the file under authz_permissions
if resource_key == '':
resource_key = '*@*'
self.env.log.debug('Empty resource_key')
follow-up: 10 comment:9 by , 15 years ago
OT: Weird, the patch above seems to be rendered with Enscript in the preview…
comment:10 by , 15 years ago
| Milestone: | → 0.12 |
|---|---|
| Status: | reopened → new |
Replying to rblank:
OT: Weird, the patch above seems to be rendered with Enscript in the preview…
It's not an unified diff, but a context diff.
I'll verify the issue.
comment:11 by , 15 years ago
The patch above has the same effect, but feels slightly less hackish. OTOH, looking at auth_policy.py, I feel there is much to be improved there, both in terms of correctness and performance.
Review appreciated.
follow-up: 13 comment:12 by , 15 years ago
Patch looks good (but the second chunk is not needed, is it?)
follow-up: 14 comment:13 by , 15 years ago
Replying to cboos:
(but the second chunk is not needed, is it?)
It's not needed to solve this issue, but I feel it reads better. Also, it avoids creating two lists in the "authenticated" case.
comment:14 by , 15 years ago
Replying to rblank:
Also, it avoids creating two lists in the "authenticated" case.
Ah yes, my criterion so far has been to avoid one unnecessary line, but this sure beats it ;-)
comment:16 by , 15 years ago
| Owner: | changed from to |
|---|
Normally checking against "None" means "is the permission granted in general", so this shouldn't be problematic.
What happens if you add the TICKET_VIEW in the permissions?