Edgewall Software
Modify

Opened 9 years ago

Closed 5 years ago

Last modified 4 years ago

#8976 closed defect (fixed)

Can't restrict access to specified version of wiki page using FineGrainedPermissions

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Milestone: 1.0.2
Component: wiki system Version: 0.11-stable
Severity: normal Keywords: authzpolicy
Cc: leho@…
Release Notes:

Allow specific versions of a wiki page to be viewable by properly enforcing fine-grained permissions.

API Changes:

A page version parameter can be specified in a call to FunctionalTester.go_to_wiki.

Description

This is either a defect, or I am really misreading the documentation.

After not having any success getting the authz configuration to behave the way I was expecting under Trac 0.11.4, I setup the development environment for 0.11.7dev and did some testing.

The following configuration grants access to all versions of WikiStart, as I would expect,

[wiki:WikiStart]
* = WIKI_VIEW

[wiki:WikiStart@*]
* =

That is, it appears that the first match is used to grant WIKI_VIEW to all versions of WikiStart, which seems to agree with the documentation.

Given that, I would expect the following configuration to grant access to only version 3 of WikiStart (there are 7 versions of WikiStart under this instance of Trac):

[wiki:WikiStart@3]
* = WIKI_VIEW

[wiki:WikiStart@*]
* =

However, with the latter configuration, I can't access any versions of WikiStart when navigating to:

http://localhost:8000/tracdev/wiki/WikiStart?version=3

There is a Forbidden Error with:

WIKI_VIEW privileges are required to perform this operation on WikiStart

I've set the LogLevel to DEBUG and will attach the log output from trying to access the aforementioned URL.

Attachments (2)

trac.log (22.7 KB ) - added by Ryan Ollos <ryano@…> 9 years ago.
Log from accessing WikiStart@3
authzpolicy.conf (58 bytes ) - added by Ryan Ollos <ryano@…> 9 years ago.
Authz policy at the time log was created

Download all attachments as: .zip

Change History (19)

Changed 9 years ago by Ryan Ollos <ryano@…>

Attachment: trac.log added

Log from accessing WikiStart@3

comment:1 Changed 9 years ago by Ryan Ollos <ryano@…>

When viewing the attached log, please start at line 87 to see the output from refreshing WikiStart?version=3.

I will also upload the authzpolicy.config file from the time the log was created.

Btw, I tried linking to a particular line in the attachment as can be done with files in the repository, but this doesn't seem to work. I tried: attachment:trac.log#L87. Do I have the syntax wrong, or is the feature not implemented? There is nothing in the documentation TracLinks to imply that this should work, but it seems like it should work since it does for TracLinks with a source: realm.

Changed 9 years ago by Ryan Ollos <ryano@…>

Attachment: authzpolicy.conf added

Authz policy at the time log was created

comment:2 Changed 9 years ago by lkraav <leho@…>

Cc: leho@… added

comment:3 Changed 9 years ago by Michel Jouvin <jouvin@…>

BTW, as discussed in the Google group, it'd be nice to be able to specify @HEAD to enable access only to the last version. In this case, the history menu should also be disabled.

Michel

comment:4 Changed 9 years ago by Christian Boos

Keywords: needinfo verify added

You need to try to reproduce this on trunk, where a number of bugs have been fixed for the AuthzPolicy.

comment:5 Changed 9 years ago by Michel Jouvin <jouvin@…>

Hi,

Very late comment. I gave this another try with r9610. authz_policy seems to have had only minor changes since then. For me the problem is still the same : as soon as you add @* for a page, you cannot access any version, even though you put before a section for @n, n being a specific version of the page.

Michel

comment:6 Changed 9 years ago by Christian Boos

Milestone: 0.12.1

comment:7 Changed 8 years ago by Christian Boos

Keywords: authzpolicy added; needinfo removed
Milestone: 0.12.1next-minor-0.12.x

comment:8 Changed 8 years ago by anonymous

I've been testing out fine grained permissions in 0.12.1 and came across this problem. In my case I would prefer not to have any history available on the pages of my project wiki that are made public. So while this is being fixed, it would be great to have a simple notation for allowing access to just the most recent version, something like @HEAD.

comment:9 Changed 6 years ago by Ryan J Ollos <ryano@…>

  • trac/wiki/web_ui.py

    diff -r 18584b1c4bff trac/wiki/web_ui.py
    a b  
    122122        page = WikiPage(self.env, pagename)
    123123        versioned_page = WikiPage(self.env, pagename, version=version)
    124124
    125         req.perm(page.resource).require('WIKI_VIEW')
     125        #req.perm(page.resource).require('WIKI_VIEW')
    126126        req.perm(versioned_page.resource).require('WIKI_VIEW')
    127127
    128128        if version and versioned_page.version != int(version):
     
    623623                       for each in related]
    624624
    625625        latest_page = WikiPage(self.env, page.name, version=None)
    626         req.perm(latest_page.resource).require('WIKI_VIEW')
     626        #req.perm(latest_page.resource).require('WIKI_VIEW')
    627627
    628628        prev_version = next_version = None
    629629        if version:

I've found that after dropping these two permission checks, I can restrict access to an arbitrary version of a wiki page. The reasons are obvious, but more work needs to be done (and tests written), to understand the consequences of these changes.

comment:10 Changed 6 years ago by Ryan J Ollos <ryano@…>

The (probably obvious) point of my previous comment was that after spending half of a day experimenting and testing TracFineGrainedPermissions, I didn't find any issues with the plugin (tracopt.perm.authzpolicy.py), rather the issues were with trac.wiki.web_ui not being coded appropriately to handle fine-grained permissions.

comment:11 Changed 5 years ago by Ryan J Ollos

Milestone: next-minor-0.12.x1.0.2
Owner: set to Ryan J Ollos
Status: newassigned

To put a proper fix in place with tests I'll need to utilize [11830] and some forthcoming changesets, in particular some changes that will be committed in #11069. It might be a bit of work to backport it all to 0.12.6, but I'll certainly do that if anyone thinks the fix should be targeted to 0.12.6.

Last edited 5 years ago by Ryan J Ollos (previous) (diff)

comment:12 Changed 5 years ago by Ryan J Ollos

Reporter: changed from Ryan Ollos <ryano@…> to Ryan J Ollos

comment:13 in reply to:  8 Changed 5 years ago by Ryan J Ollos

Replying to anonymous:

I've been testing out fine grained permissions in 0.12.1 and came across this problem. In my case I would prefer not to have any history available on the pages of my project wiki that are made public. So while this is being fixed, it would be great to have a simple notation for allowing access to just the most recent version, something like @HEAD.

After spending a little while looking at the code in tags/trac-1.0.1/tracopt/perm/authz_policy.py, I think it will be feasible to restrict access to the most recent version of the page using a syntax such as @HEAD. I think this should be handled in another ticket though, and is probably more appropriate for a major rather than a minor release. Therefore, I've created #11263.

comment:14 Changed 5 years ago by Ryan J Ollos

Component: generalwiki system
Keywords: permissions added; verify removed

comment:15 Changed 5 years ago by Ryan J Ollos

API Changes: modified (diff)
Component: wiki systemgeneral
Keywords: verify added; permissions removed
Release Notes: modified (diff)

Proposed changes can be found in log:rjollos.git:t8976.

comment:16 Changed 5 years ago by Ryan J Ollos

Resolution: fixed
Status: assignedclosed

Committed to 1.0-stable in [12152:12153] and merged to trunk in [12154].

comment:17 Changed 4 years ago by Ryan J Ollos

Component: generalwiki system
Keywords: verify removed

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted.
to The owner will be changed from Ryan J Ollos to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.