Changes between Version 1 and Version 2 of TracDev/SecurityBranch

Timestamp:

May 20, 2007, 12:13:15 PM (17 years ago)

Author:

Alec Thomas

Comment:

More notes about the new policy system.

TracDev/SecurityBranch

@@ -14 +14 @@
  * See [diff:trunk//sandbox/pycon/security differences] for Trac [milestone:0.11]dev
  * See [diff:trunk@3353//sandbox/pycon/security@3354 patch] for Trac [milestone:0.10]dev (initial implementation)
+
+== 1000 ' View ==
+
+ * Add an interface (`IPermissionPolicy`) for checking a users permission to access [WikiContext Trac resources].
+ * Convert the current permission system to a plugin (`DefaultPermissionPolicy`).
+ * Modify `PermissionCache` to cache the fine-grained policy check results (still needs some cleanup).
+ * Convert each module to use fine-grained permissions (only the Wiki module has been converted so far).
+ * API is backwards compatible.
+ * Security policies can be "stacked".
+
+== API ==
+
+{{{
+#!python
+class IPermissionPolicy(Interface):
+    """A security policy provider."""
+    def check_permission(req, username, action, context):
+        """Check that username can perform action in context.
+
+        Must return True if action is allowed, False if action is denied, or
+        None if indifferent.
+
+        NOTE: req is passed in addition to context, as context is likely to be
+        refactored to remove this."""
+}}}
 
 == Testing the features ==