Opened 15 years ago
Last modified 10 years ago
#9355 new defect
authzpolicy FineGrainedPermissions: configuration file order matters, but more/less specific patterns don't
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | normal | Milestone: | unscheduled |
Component: | web frontend | Version: | 0.11.6 |
Severity: | normal | Keywords: | permissions authzpolicy authz configuration |
Cc: | Ryan J Ollos | Branch: | |
Release Notes: | |||
API Changes: | |||
Internal Changes: |
Description
When using FineGrainedPermissions and authzpolicy, we had the following configuration:
@group = user [wiki:Page*] # the page and all subpages @group = WIKI_VIEW [wiki:Page/SpecificSubpage] # a specific subpage @group = WIKI_VIEW, WIKI_MODIFY
The intention was that the given user group should be allowed to edit the specific subpage, but only view the Page
and its other subpages.
However, the user was not able to edit Page/SpecificSubpage
.
Reversing the order of both entries helps.
Although the Subversion authz documentation says that "the most specific path always matches first", Trac's implementation of authz apparently takes the first pattern that matches.
Attachments (0)
Change History (3)
comment:1 by , 15 years ago
Milestone: | → unscheduled |
---|
comment:2 by , 14 years ago
Cc: | added |
---|
comment:4 by , 10 years ago
Cc: | added; removed |
---|
Those are two different things.
On one hand side you have the Subversion authz conventions that we try to apply on Subversion repositories (see SvnAuthz), on the other side we have something similar (AuthzPolicy) that we apply on all Trac resources. We never said that our authz policy should behave like the Subversion authz.
Trying to apply the most specific rules regardless of the order would be significantly harder to do than what we currently do.
(bordering wontfix, but I'll let other people comment on this before doing so)