ReadonlyWikiPolicy

A permission policy added in Trac 1.1.2 which enables and enforces the read-only attribute on wiki pages.

Earlier versions of Trac had a defect in which the read-only attribute would not be checked when adding attachments to wiki pages, allowing users with WIKI_MODIFY to add attachments to read-only wiki pages rather than enforcing the requirement of WIKI_ADMIN. In #11244, the ReadonlyWikiPolicy was added, which unequivocally requires WIKI_ADMIN for modifying, deleting or renaming of read-only pages (and adding an attachment requires permission to modify the page). Enforcing the read-only attribute through a permission policy additionally allows a custom permission policy to be written for enforcing the read-only attribute.

For new Trac installations in 1.1.2 and later, ReadonlyWikiPolicy is enabled by default. When upgrading from earlier versions, ReadonlyWikiPolicy will be added to the list of permissions policies when upgrading the environment if permissions_policies has the default value DefaultPermissionPolicy, LegacyAttachmentPolicy. If permissions_policies has some other value, then the TracIni configuration file needs to be edited to add ReadonlyWikiPolicy to the list of permission_policies. A message will be echoed to the console when upgrading the environment, indicating if any action needs to be taken. ReadonlyWikiPolicy should be placed before DefaultPermissionPolicy, LegacyAttachmentPolicy.

[trac]
permission_policies = ReadonlyWikiPolicy,
 DefaultPermissionPolicy,
 LegacyAttachmentPolicy

When additional permission policies are active, care will need to be taken to ensure the proper ordering. See TracFineGrainedPermissions#ReadonlyWikiPolicy for more details.