Changes between Version 4 and Version 5 of TracFineGrainedPermissions


Ignore:
Timestamp:
Sep 8, 2024, 12:14:12 PM (3 months ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TracFineGrainedPermissions

    v4 v5  
    2828* !LegacyAttachmentPolicy uses the coarse-grained permissions to check permissions on attachments.
    2929
    30 Among the optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See [trac:source:branches/1.4-stable/tracopt/perm/authz_policy.py authz_policy.py] for details.
     30Among the optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See
     31[trac:source:branches/1.4-stable/tracopt/perm/authz_policy.py authz_policy.py] for details.
    3132
    3233Another permission policy [#AuthzSourcePolicy], uses the [http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html path-based authorization] defined by Subversion to enforce permissions on the version control system.
     
    3637=== !AuthzPolicy
    3738==== Configuration
    38 
    39 * Put an empty conf file (`authzpolicy.conf`) in a secure location on the server, not readable by users other than the webuser. If the file contains non-ASCII characters, the UTF-8 encoding should be used.
     39* Put an empty conf file (`authzpolicy.conf`) in a secure location on the server, not readable by users other than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used.
    4040* Update your `trac.ini`:
    4141  1. modify the [TracIni#trac-permission_policies-option permission_policies] option in the `[trac]` section:
     
    6161A policy will return either `True`, `False` or `None` for a given permission check. `True` is returned if the policy explicitly grants the permission. `False` is returned if the policy explicitly denies the permission. `None` is returned if the policy is unable to either grant or deny the permission.
    6262
    63 '''Note''': Only if the return value is `None` will the ''next'' permission policy be consulted. If none of the policies explicitly grants the permission, the final result will be `False`, i.e. permission denied.
     63NOTE: Only if the return value is `None` will the ''next'' permission policy be consulted. If none of the policies explicitly grants the permission, the final result will be `False`, i.e. permission denied.
    6464
    6565The `authzpolicy.conf` file is a `.ini` style configuration file:
     
    100100The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules.
    101101
    102 '''Note''': Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:#5648] for details about this missing feature.
     102|| '''Note:''' Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:#5648] for details about this missing feature. ||
    103103
    104104For example, if the `authz_file` contains:
     
    184184
    185185==== Missing Features
    186 
    187186Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac:#9573], [trac:#5648]). Patches are partially available, see authz_policy.2.patch, part of [trac:ticket:6680 #6680].
    188187
     
    200199[groups]
    201200permission_level_1 = WIKI_VIEW, TICKET_VIEW
    202 permission_level_2 = permission_level_1, WIKI_MODIFY, TICKET_MODIFY
     201permission_level_2  = permission_level_1, WIKI_MODIFY, TICKET_MODIFY
    203202[*]
    204203@team1 = permission_level_1
     
    207206}}}
    208207
    209 === !AuthzSourcePolicy (`mod_authz_svn`-like permission policy) #AuthzSourcePolicy
     208=== !AuthzSourcePolicy  (`mod_authz_svn`-like permission policy) #AuthzSourcePolicy
    210209
    211210`AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's `mod_authz_svn`.
     
    320319
    321320== Debugging permissions
    322 
    323321In trac.ini set:
    324322{{{#!ini