Edgewall Software

Changes between Version 3 and Version 4 of 1.3/TracFineGrainedPermissions


Ignore:
Timestamp:
Sep 9, 2017, 11:02:52 PM (2 years ago)
Author:
Ryan J Ollos
Comment:

Minor edits.

Legend:

Unmodified
Added
Removed
Modified
  • 1.3/TracFineGrainedPermissions

    v3 v4  
    55There is a general mechanism in place that allows custom **permission policies** to grant or deny any action on any Trac resource, or even specific versions of a resource.
    66
    7 That mechanism is `authz_policy`, which is an optional module in `tracopt.perm.authz_policy.*`, so it is installed by default. It can be activated via the //Plugins// panel in the Trac administration module.
     7That mechanism is `AuthzPolicy`, an optional component in `tracopt.perm.authz_policy.*` which is not activated by default. It can be activated via the //Plugins// panel in the Trac administration module.
     8
     9See TracPermissions for a more general introduction to Trac permissions and permission policies.
    810
    911== Permission Policies
     
    2224
    2325* [#DefaultWikiPolicyandDefaultTicketPolicy DefaultWikiPolicy] controls readonly access to wiki pages.
    24 * [#DefaultWikiPolicyandDefaultTicketPolicy DefaultTicketPolicy] provides some elevated privileges in the ticket system.
     26* [#DefaultWikiPolicyandDefaultTicketPolicy DefaultTicketPolicy] provides elevated privileges in the ticket system for authenticated users.
    2527* !DefaultPermissionPolicy checks for the traditional coarse-grained permissions described in TracPermissions.
    2628* !LegacyAttachmentPolicy uses the coarse-grained permissions to check permissions on attachments.
     
    3537=== !AuthzPolicy
    3638==== Configuration
    37 * Put a [http://swapoff.org/files/authzpolicy.conf conf] file in a secure location on the server, not readable by users other than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used.
     39* Put an empty conf file (`authzpolicy.conf`) in a secure location on the server, not readable by users other than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used.
    3840* Update your `trac.ini`:
    39   1. modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section:
     41  1. modify the [TracIni#trac-permission_policies-option permission_policies] option in the `[trac]` section:
    4042{{{#!ini
    4143[trac]
     
    9698  * If a value (permission) is prefixed with a `!`, the permission is denied rather than granted.
    9799
    98 The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules. || '''Note:''' Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:ticket:5648 #5648] for details about this missing feature. ||
     100The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules.
     101
     102|| '''Note:''' Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:#5648] for details about this missing feature. ||
    99103
    100104For example, if the `authz_file` contains:
     
    180184
    181185==== Missing Features
    182 Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac:ticket:9573 #9573], [trac:ticket:5648 #5648]). Patches are partially available, see authz_policy.2.patch, part of [trac:ticket:6680 #6680].
     186Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac:#9573], [trac:#5648]). Patches are partially available, see authz_policy.2.patch, part of [trac:ticket:6680 #6680].
    183187
    184188You cannot do the following:
     
    202206}}}
    203207
    204 === !AuthzSourcePolicy  (mod_authz_svn-like permission policy) #AuthzSourcePolicy
    205 
    206 `AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's mod_authz_svn.
     208=== !AuthzSourcePolicy  (`mod_authz_svn`-like permission policy) #AuthzSourcePolicy
     209
     210`AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's `mod_authz_svn`.
    207211More information about this file format and about its usage in Subversion is available in the [http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html Path-Based Authorization] section in the Server Configuration chapter of the svn book.
    208212
     
    254258'''Note:''' Usernames inside the Authz file __must__ be the same as those used inside trac.
    255259
    256 As of version 0.12, make sure you have ''!AuthzSourcePolicy'' included in the permission_policies list in trac.ini, otherwise the authz permissions file will be ignored.
     260Make sure you have ''!AuthzSourcePolicy'' included in the permission_policies list in trac.ini, otherwise the authz permissions file will be ignored.
    257261
    258262{{{#!ini
     
    279283
    280284Since 1.1.2, the read-only attribute of wiki pages is enabled and enforced when `DefaultWikiPolicy` is in the list of active permission policies (`DefaultWikiPolicy` was named `ReadonlyWikiPolicy` from Trac 1.1.2 to 1.3.1). The default for new Trac installations in 1.3.2 and later is:
    281 {{{
     285{{{#!ini
    282286[trac]
    283287permission_policies = DefaultWikiPolicy,
     
    301305
    302306When active, the [#AuthzPolicy] should therefore come before `DefaultWikiPolicy, DefaultTicketPolicy`, allowing it to grant or deny the actions on individual resources, which is the usual ordering for `AuthzPolicy` in the `permission_policies` list.
    303 {{{
     307{{{#!ini
    304308[trac]
    305309permission_policies = AuthzPolicy,
     
    332336----
    333337See also: TracPermissions,
    334 [http://trac-hacks.org/wiki/FineGrainedPageAuthzEditorPlugin TracHacks:FineGrainedPageAuthzEditorPlugin] for a simple editor plugin.
     338[http://trac-hacks.org/wiki/FineGrainedPageAuthzEditorPlugin FineGrainedPageAuthzEditorPlugin] for a simple editor.