Edgewall Software
Home
Trac
Trac Hacks
Genshi
Babel
Bitten
Home
Download
Documentation
Mailing Lists
License
FAQ
Search:
Login
Preferences
Help/Guide
About Trac
Wiki
Timeline
Roadmap
Browse Source
View Tickets
New Ticket
Search
Context Navigation
-1
Start Page
Index
History
Editing TracDev/PluginDevelopment/ExtensionPoints/trac.perm.IPermissionPolicy
Adjust edit area height:
8
12
16
20
24
28
32
36
40
Edit side-by-side
== Extension Point : ''IPermissionPolicy'' == ||'''Interface'''||''IPermissionPolicy''||'''Since'''||0.11|| ||'''Module'''||''trac.perm''||'''Source'''||[source:trunk/trac/perm.py#L114 perm.py]|| The ''IPermissionPolicy'' implementations define policies for how to check for (fine grained) permissions. == Purpose == The TracPermissions system defines coarse permissions to control which users have access to which modules. TracFineGrainedPermissions introduced more fine grained control over permissions for individual resources. The IPermissionPolicy interface is used to implement this new system, re-implement the legacy behavior and allow plugins to extend the permission policies. == Usage == Implementing the interface follows the standard guidelines found in [wiki:TracDev/ComponentArchitecture] and of course [wiki:TracDev/PluginDevelopment]. Only the ''permission_policies'' configured in [wiki:TracIni#trac-section trac.ini] will be used (in that order). The policy is called for each action on a resource by a user. It can explicitly allow or deny that action, or abstain to defer the check to the next policy in the chain. (Note: It is first also called without a specific resource for a coarse realm permission check. See API Reference for details.) == Examples == See [#DebugPolicy], [#PublicWikiPolicy], [#SecurityTicketsPolicy] * [http://thread.gmane.org/gmane.comp.version-control.subversion.trac.devel/393/focus=401 Mailing list post] with an example IPermissionPolicy implementation that blocks access to ticket 666. Here an updated version: {{{ #!python from trac.core import * from trac.perm import IPermissionPolicy class Deny666(Component): implements(IPermissionPolicy) def check_permission(self, action, username, resource, perm): if resource is not None and resource.realm == 'ticket' and \ resource.id == 666: self.log.info("This is the Devil's work") return False }}} * Another [http://thread.gmane.org/gmane.comp.version-control.subversion.trac.devel/393/focus=402 mailing list post] with an example IPermissionPolicy implementation based on [h:TagsPlugin]. (Adding a tag 'john:view' on a wiki page or ticket would allow the user 'john' to WIKI_VIEW or TICKET_VIEW that resource. Adding a tag 'john:-view' would disallow it.) Here an updated version: {{{ #!python from trac.core import * from trac.perm import IPermissionPolicy class TagPolicy(Component): """ Security policy based on tags. """ implements(IPermissionPolicy) def check_permission(self, action, username, resource, perm): if resource is None: return None if action.startswith('WIKI_') or action.startswith('TICKET_'): from tractags.api import TagSystem class FakeRequest(object): def __init__(self, perm): self.perm = perm req = FakeRequest(perm) tags = TagSystem().get_tags(req, resource) permission = action.lower().split('_')[1] ptag = ':'.join((username, permission)) if ptag in tags: return True nptag = ':-'.join((username, permission)) if nptag in tags: return False }}} == Available Implementations == === [source:trunk/trac/perm.py#L249 trac.perm.DefaultPermissionPolicy] === #DefaultPermissionPolicy Reimplements the pre-0.11 behavior which checks for the traditional coarse grained style permissions described in TracPermissions. === [source:trunk/trac/attachment.py#L894 trac.attachment.LegacyAttachmentPolicy] === #LegacyAttachmentPolicy Reimplements the legacy coarse grained permissions checks for attachments, by mapping ATTACHMENT_* permissions to realm specific ones. Allows other plugins to participate in this by implementing [wiki:TracDev/PluginDevelopment/ExtensionPoints/trac.attachment.ILegacyAttachmentPolicyDelegate ILegacyAttachmentPolicyDelegate]. === [source:trunk/tracopt/perm/authz_policy.py#L33 tracopt.perm.authz_policy.AuthzPolicy] === #AuthzPolicy See [wiki:TracFineGrainedPermissions#AuthzPolicy TracFineGrainedPermissions] === [source:trunk/trac/versioncontrol/svn_authz.py#L111 trac.versioncontrol.svn_authz.AuthzSourcePolicy] === #AuthzSourcePolicy See [wiki:TracFineGrainedPermissions#AuthzSourcePolicy TracFineGrainedPermissions] === [source:trunk/sample-plugins/permissions/debug_perm.py#L8 sample-plugins.permissions.debug_perm.DebugPolicy] === #DebugPolicy A sample plugin that is only useful for Trac Development. It verifies the well-formedness of the permission checks. === [source:trunk/sample-plugins/permissions/public_wiki_policy.py#L10 sample-plugins.permissions.public_wiki_policy.PublicWikiPolicy] === #PublicWikiPolicy A sample plugin that allows public access to some wiki pages, illustrating how to check permission on realms. === [source:trunk/sample-plugins/permissions/vulnerability_tickets.py#L7 sample-plugins.permissions.vulnerability_tickets.SecurityTicketsPolicy] === #SecurityTicketsPolicy A sample plugin that prevents public access to security sensitive tickets. == Additional Information and References == * [http://www.edgewall.org/docs/trac-trunk/html/api/trac_perm.html#trac.perm.IPermissionPolicy API Reference] * See [wiki:TracDev/PluginDevelopment/ExtensionPoints/trac.perm.IPermissionStore IPermissionStore], [wiki:TracDev/PluginDevelopment/ExtensionPoints/trac.perm.IPermissionRequestor IPermissionRequestor] * Related tickets: [query:status!=closed&keywords~=permission permission in keywords]
Note:
See
WikiFormatting
and
TracWiki
for help on editing wiki content.
Change information
Your email or username:
E-mail address and name can be saved in the
Preferences
Comment about this change (optional):
Note:
See
TracWiki
for help on using the wiki.