| 292 | === ReadonlyWikiPolicy |
| 293 | |
| 294 | Since 1.1.2, the read-only attribute of wiki pages is enabled and enforced when `ReadonlyWikiPolicy` is in the list of active permission policies. The default for new Trac installations in 1.1.2 and later is: |
| 295 | {{{ |
| 296 | [trac] |
| 297 | permission_policies = ReadonlyWikiPolicy, |
| 298 | DefaultPermissionPolicy, |
| 299 | LegacyAttachmentPolicy |
| 300 | }}} |
| 301 | |
| 302 | When upgrading from earlier versions of Trac, `ReadonlyWikiPolicy` needs to be manually added to the list. |
| 303 | |
| 304 | The `ReadonlyWikiPolicy` returns `False` to deny modify, delete and rename actions on wiki pages when the page has the read-only attribute set and the user does not have `WIKI_ADMIN`, regardless of whether the user has `WIKI_MODIFY`, `WIKI_DELETE` and `WIKI_RENAME` permissions. It returns `None` for all other cases. When active, the `AuthzPolicy` should therefore come before `ReadonlyWikiPolicy`, allowing it to grant or deny the actions on individual resources, which is the usual ordering for `AuthzPolicy` in the `permission_policies` list. `ReadonlyWikiPolicy` must come before `DefaultPermissionPolicy` since the latter will return `True` for the respective actions when the user has `WIKI_MODIFY`, `WIKI_DELETE` or `WIKI_RENAME`, without consideration for the read-only attribute. The placement of `AuthzSourcePolicy` relative to `ReadonlyWikiPolicy` does not matter since they don't perform checks on the same realms. |
| 305 | |
| 306 | {{{ |
| 307 | [trac] |
| 308 | permission_policies = AuthzPolicy, |
| 309 | ReadonlyWikiPolicy, |
| 310 | DefaultPermissionPolicy, |
| 311 | LegacyAttachmentPolicy |
| 312 | }}} |
| 313 | |
| 314 | For all other permission policies, the user will need to decide the proper ordering. Generally, if the permission policy should be capable of overriding the check performed by `ReadonlyWikiPolicy`, it should come before `ReadonlyWikiPolicy` in the list. If the `ReadonlyWikiPolicy` should override the check performed by another permission policy, as is the case for `DefaultPermissionPolicy`, then `ReadonlyWikiPolicy` should come first. |
| 315 | |