Changes between Version 3 and Version 4 of 1.3/TracFineGrainedPermissions
- Timestamp:
- Sep 9, 2017, 11:02:52 PM (7 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
1.3/TracFineGrainedPermissions
v3 v4 5 5 There is a general mechanism in place that allows custom **permission policies** to grant or deny any action on any Trac resource, or even specific versions of a resource. 6 6 7 That mechanism is `authz_policy`, which is an optional module in `tracopt.perm.authz_policy.*`, so it is installed by default. It can be activated via the //Plugins// panel in the Trac administration module. 7 That mechanism is `AuthzPolicy`, an optional component in `tracopt.perm.authz_policy.*` which is not activated by default. It can be activated via the //Plugins// panel in the Trac administration module. 8 9 See TracPermissions for a more general introduction to Trac permissions and permission policies. 8 10 9 11 == Permission Policies … … 22 24 23 25 * [#DefaultWikiPolicyandDefaultTicketPolicy DefaultWikiPolicy] controls readonly access to wiki pages. 24 * [#DefaultWikiPolicyandDefaultTicketPolicy DefaultTicketPolicy] provides some elevated privileges in the ticket system.26 * [#DefaultWikiPolicyandDefaultTicketPolicy DefaultTicketPolicy] provides elevated privileges in the ticket system for authenticated users. 25 27 * !DefaultPermissionPolicy checks for the traditional coarse-grained permissions described in TracPermissions. 26 28 * !LegacyAttachmentPolicy uses the coarse-grained permissions to check permissions on attachments. … … 35 37 === !AuthzPolicy 36 38 ==== Configuration 37 * Put a [http://swapoff.org/files/authzpolicy.conf conf] filein a secure location on the server, not readable by users other than the webuser. If the file contains non-ASCII characters, the UTF-8 encoding should be used.39 * Put an empty conf file (`authzpolicy.conf`) in a secure location on the server, not readable by users other than the webuser. If the file contains non-ASCII characters, the UTF-8 encoding should be used. 38 40 * Update your `trac.ini`: 39 1. modify the [TracIni#trac- section permission_policies] entryin the `[trac]` section:41 1. modify the [TracIni#trac-permission_policies-option permission_policies] option in the `[trac]` section: 40 42 {{{#!ini 41 43 [trac] … … 96 98 * If a value (permission) is prefixed with a `!`, the permission is denied rather than granted. 97 99 98 The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules. || '''Note:''' Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:ticket:5648 #5648] for details about this missing feature. || 100 The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules. 101 102 || '''Note:''' Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:#5648] for details about this missing feature. || 99 103 100 104 For example, if the `authz_file` contains: … … 180 184 181 185 ==== Missing Features 182 Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac: ticket:9573 #9573], [trac:ticket:5648#5648]). Patches are partially available, see authz_policy.2.patch, part of [trac:ticket:6680 #6680].186 Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac:#9573], [trac:#5648]). Patches are partially available, see authz_policy.2.patch, part of [trac:ticket:6680 #6680]. 183 187 184 188 You cannot do the following: … … 202 206 }}} 203 207 204 === !AuthzSourcePolicy ( mod_authz_svn-like permission policy) #AuthzSourcePolicy205 206 `AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's mod_authz_svn.208 === !AuthzSourcePolicy (`mod_authz_svn`-like permission policy) #AuthzSourcePolicy 209 210 `AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's `mod_authz_svn`. 207 211 More information about this file format and about its usage in Subversion is available in the [http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html Path-Based Authorization] section in the Server Configuration chapter of the svn book. 208 212 … … 254 258 '''Note:''' Usernames inside the Authz file __must__ be the same as those used inside trac. 255 259 256 As of version 0.12, make sure you have ''!AuthzSourcePolicy'' included in the permission_policies list in trac.ini, otherwise the authz permissions file will be ignored.260 Make sure you have ''!AuthzSourcePolicy'' included in the permission_policies list in trac.ini, otherwise the authz permissions file will be ignored. 257 261 258 262 {{{#!ini … … 279 283 280 284 Since 1.1.2, the read-only attribute of wiki pages is enabled and enforced when `DefaultWikiPolicy` is in the list of active permission policies (`DefaultWikiPolicy` was named `ReadonlyWikiPolicy` from Trac 1.1.2 to 1.3.1). The default for new Trac installations in 1.3.2 and later is: 281 {{{ 285 {{{#!ini 282 286 [trac] 283 287 permission_policies = DefaultWikiPolicy, … … 301 305 302 306 When active, the [#AuthzPolicy] should therefore come before `DefaultWikiPolicy, DefaultTicketPolicy`, allowing it to grant or deny the actions on individual resources, which is the usual ordering for `AuthzPolicy` in the `permission_policies` list. 303 {{{ 307 {{{#!ini 304 308 [trac] 305 309 permission_policies = AuthzPolicy, … … 332 336 ---- 333 337 See also: TracPermissions, 334 [http://trac-hacks.org/wiki/FineGrainedPageAuthzEditorPlugin TracHacks:FineGrainedPageAuthzEditorPlugin] for a simple editor plugin.338 [http://trac-hacks.org/wiki/FineGrainedPageAuthzEditorPlugin FineGrainedPageAuthzEditorPlugin] for a simple editor.