Edgewall Software

Changes between Version 6 and Version 7 of 1.3/TracFineGrainedPermissions


Ignore:
Timestamp:
Oct 15, 2019, 6:28:03 AM (8 weeks ago)
Author:
trac
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • 1.3/TracFineGrainedPermissions

    v6 v7  
    1111== Permission Policies
    1212
    13 A great diversity of permission policies can be implemented and Trac comes with a few examples. 
     13A great diversity of permission policies can be implemented and Trac comes with a few examples.
    1414
    1515The active policies are determined by a [TracIni#trac-permission_policies-option configuration setting]:
     
    2929
    3030Among the optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See
    31 [trac:source:branches/1.4-stable/tracopt/perm/authz_policy.py authz_policy.py] for details. 
     31[trac:source:branches/1.4-stable/tracopt/perm/authz_policy.py authz_policy.py] for details.
    3232
    3333Another permission policy [#AuthzSourcePolicy], uses the [http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html path-based authorization] defined by Subversion to enforce permissions on the version control system.
     
    9494* Sections are checked against the current Trac resource descriptor '''IN ORDER''' of appearance in the configuration file. '''ORDER IS CRITICAL'''.
    9595
    96 * Once a section matches, the current username is matched against the keys (usernames) of the section, '''IN ORDER'''. 
    97   * If a key (username) is prefixed with a `@`, it is treated as a group. 
     96* Once a section matches, the current username is matched against the keys (usernames) of the section, '''IN ORDER'''.
     97  * If a key (username) is prefixed with a `@`, it is treated as a group.
    9898  * If a value (permission) is prefixed with a `!`, the permission is denied rather than granted.
    9999
     
    118118}}}
    119119
    120 Then: 
     120Then:
    121121  * All versions of WikiStart will be viewable by everybody, including anonymous
    122122  * !PrivatePage will be viewable only by john
     
    172172john = BROWSER_VIEW, FILE_VIEW
    173173
    174 # John has BROWSER_VIEW and FILE_VIEW access to all revisions of 'somefile' at trunk/src/some/location only 
     174# John has BROWSER_VIEW and FILE_VIEW access to all revisions of 'somefile' at trunk/src/some/location only
    175175[repository:test_repo@*/source:trunk/src/some/location/somefile@*]
    176176john = BROWSER_VIEW, FILE_VIEW
     
    208208=== !AuthzSourcePolicy  (`mod_authz_svn`-like permission policy) #AuthzSourcePolicy
    209209
    210 `AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's `mod_authz_svn`. 
     210`AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's `mod_authz_svn`.
    211211More information about this file format and about its usage in Subversion is available in the [http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html Path-Based Authorization] section in the Server Configuration chapter of the svn book.
    212212
     
    251251...
    252252[repositories]
    253 somemodule.dir = /srv/active/svn/somemodule 
     253somemodule.dir = /srv/active/svn/somemodule
    254254}}}
    255255
    256256where the svn access file, {{{/path/to/svnaccessfile}}}, contains entries such as {{{[somemodule:/some/path]}}}.
    257257
    258 '''Note:''' Usernames inside the Authz file __must__ be the same as those used inside trac. 
     258'''Note:''' Usernames inside the Authz file __must__ be the same as those used inside trac.
    259259
    260260Make sure you have ''!AuthzSourcePolicy'' included in the permission_policies list in trac.ini, otherwise the authz permissions file will be ignored.