Edgewall Software

Version 5 (modified by Alec Thomas, 17 years ago) ( diff )

Updated a bit for trunk merge.

  1. Security Sandbox
    1. 1000 ' View
    2. API
    3. Testing the features

Security Sandbox

This branch has been integrated into trunk as of r5514.

This sandbox aims at adding a finer grained control for the TracPermissions system.

The permission policy system has been rewritten on top of the Context objects.

The Wiki system, a significant part of the Ticket system and the attachment subsystem are now using the new permission policy engine.

1000 ' View

  • Add an interface (IPermissionPolicy) for checking a users permission to access Trac resources.
  • Convert the current permission system to a plugin (DefaultPermissionPolicy).
  • Modify PermissionCache to cache the fine-grained policy check results (still needs some cleanup).
  • Convert each module to use fine-grained permissions (only the Wiki module has been converted so far).
  • API is backwards compatible.
  • Security policies can be "stacked".

API

class IPermissionPolicy(Interface):
    """A security policy provider."""
    def check_permission(username, action, context):
        """Check that username can perform action in context.

        Must return True if action is allowed, False if action is denied, or
        None if indifferent."""

Testing the features

An example policy based on an Authz-style system has been added. See trunk/sample-plugins/authz_policy.py for details.

  • Install ConfigObj (required).
  • Copy this file in your plugins directory
  • Plonk a authzpolicy.conf file somewhere.
  • Update your trac.ini: 
    [trac]
...
permission_policies = AuthzPolicy, DefaultPermissionPolicy

[authz_policy]
authz_file = /some/trac/env/conf/authzpolicy.conf

[components]
...
authz_policy = enabled
  • Finally, restart your web server.

Note that the order in which permission policies are specified is quite critical, as policies will be examined in the sequence provided.

A policy will return either True, False or None for a given permission check. Only if the return value is None will the next permission policy be consulted. If no policy explicitly grants the permission, the final result will be False (i.e. no permission).

For example, if the authz_file contains: 

[wiki:WikiStart@*]
* = VIEW

[wiki:PrivatePage@*]
john = VIEW
* =

and the default permissions are set like this: 

john           WIKI_VIEW
jack           WIKI_VIEW
# anonymous has no WIKI_VIEW

Then:

  • All versions of WikiStart will be viewable by everybody (including anonymous)
  • PrivatePage will be viewable only by john
  • other pages will be viewable only by john and jack

See also: WikiContext

Note: See TracWiki for help on using the wiki.