Changes between Version 1 and Version 2 of TracFineGrainedPermissions


Ignore:
Timestamp:
Jun 30, 2013, 10:51:14 AM (11 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TracFineGrainedPermissions

    v1 v2  
     1[[PageOutline(2-5, Contents, floated)]]
    12= Fine grained permissions =
    23
     
    3132==== Configuration ====
    3233* Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (still needed for 0.12).
    33 * Copy authz_policy.py into your plugins directory.
     34* Copy authz_policy.py into your plugins directory (only for Trac 0.11).
    3435* Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used.
    3536* Update your `trac.ini`:
     
    4041permission_policies = AuthzPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
    4142}}}
    42   2. add a new `[authz_policy]` section
     43  1. add a new `[authz_policy]` section
    4344{{{
    4445[authz_policy]
    4546authz_file = /some/trac/env/conf/authzpolicy.conf
    4647}}}
    47   3. enable the single file plugin
     48  1. enable the plugin through [/admin/general/plugin WebAdmin] or by editing the `[components]` section
    4849{{{
    4950[components]
     
    5455#authz_policy.* = enabled
    5556}}}
     57
     58
    5659==== Usage Notes ====
    5760Note that the order in which permission policies are specified is quite critical,
     
    107110    denied rather than granted.
    108111
    109   The username will match any of 'anonymous',
    110   'authenticated', <username> or '*', using normal Trac permission rules.
     112  The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules. || '''Note:''' Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:ticket:5648 #5648] for details about this missing feature ||
    111113
    112114For example, if the `authz_file` contains:
     
    190192
    191193
     194==== Missing Features ====
     195Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac:ticket:9573 #9573], [trac:ticket:5648 #5648]). Patches are partially available, see forgotten authz_policy.2.patch  part of [trac:ticket:6680 #6680]).
     196
     197You cannot do the following:
     198{{{
     199[groups]
     200team1 = a, b, c
     201team2 = d, e, f
     202team3 = g, h, i
     203departmentA = team1, team2
     204}}}
     205
     206Permission groups are not supported either. You cannot do the following:
     207{{{
     208[groups]
     209permission_level_1 = WIKI_VIEW, TICKET_VIEW
     210permission_level_2  = permission_level_1, WIKI_MODIFY, TICKET_MODIFY
     211[*]
     212@team1 = permission_level_1
     213@team2 = permission_level_2
     214@team3 = permission_level_2, TICKET_CREATE
     215}}}
     216
    192217=== !AuthzSourcePolicy  (mod_authz_svn-like permission policy) === #AuthzSourcePolicy
    193218