Edgewall Software
Modify

Opened 9 years ago

Last modified 5 years ago

#9355 new defect

authzpolicy FineGrainedPermissions: configuration file order matters, but more/less specific patterns don't

Reported by: ch.lange@… Owned by:
Priority: normal Milestone: unscheduled
Component: web frontend Version: 0.11.6
Severity: normal Keywords: permissions authzpolicy authz configuration
Cc: Ryan J Ollos Branch:
Release Notes:
API Changes:

Description

When using FineGrainedPermissions and authzpolicy, we had the following configuration:

@group = user

[wiki:Page*] # the page and all subpages
@group = WIKI_VIEW

[wiki:Page/SpecificSubpage] # a specific subpage
@group = WIKI_VIEW, WIKI_MODIFY

The intention was that the given user group should be allowed to edit the specific subpage, but only view the Page and its other subpages.

However, the user was not able to edit Page/SpecificSubpage.

Reversing the order of both entries helps.

Although the Subversion authz documentation says that "the most specific path always matches first", Trac's implementation of authz apparently takes the first pattern that matches.

Attachments (0)

Change History (3)

comment:1 by Christian Boos, 9 years ago

Milestone: unscheduled

Although the Subversion authz documentation says that "the most specific path always matches first", Trac's implementation of authz apparently takes the first pattern that matches.

Those are two different things.

On one hand side you have the Subversion authz conventions that we try to apply on Subversion repositories (see SvnAuthz), on the other side we have something similar (AuthzPolicy) that we apply on all Trac resources. We never said that our authz policy should behave like the Subversion authz.

Trying to apply the most specific rules regardless of the order would be significantly harder to do than what we currently do.

(bordering wontfix, but I'll let other people comment on this before doing so)

comment:2 by Ryan J Ollos <ryano@…>, 9 years ago

Cc: ryano@… added

comment:4 by Ryan J Ollos, 5 years ago

Cc: Ryan J Ollos added; ryano@… removed

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.
The ticket will be disowned. Next status will be 'new'.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.