Changes between Version 4 and Version 5 of TracFineGrainedPermissions

Timestamp:

Sep 24, 2024, 8:56:32 AM (5 weeks ago)

Author:

trac

Comment:

--

TracFineGrainedPermissions

@@ -5 +5 @@
 There is a general mechanism in place that allows custom **permission policies** to grant or deny any action on any Trac resource, or even specific versions of a resource.
 
-That mechanism is `authz_policy`, which is an optional module in `tracopt.perm.authz_policy.*`, so it is installed by default. It can be activated via the //Plugins// panel in the Trac administration module.
+That mechanism is `AuthzPolicy`, an optional component in `tracopt.perm.authz_policy.*` which is not activated by default. It can be activated via the //Plugins// panel in the Trac administration module.
+
+See TracPermissions for a more general introduction to Trac permissions and permission policies.
 
 == Permission Policies
 
-A great diversity of permission policies can be implemented and Trac comes with a few examples. 
+A great diversity of permission policies can be implemented and Trac comes with a few examples.
 
 The active policies are determined by a [TracIni#trac-permission_policies-option configuration setting]:
@@ -15 +17 @@
 {{{#!ini
 [trac]
-permission_policies = ReadonlyWikiPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
-}}}
-
-* [#ReadonlyWikiPolicy] controls readonly access to wiki pages.
+permission_policies = DefaultWikiPolicy,
+ DefaultTicketPolicy,
+ DefaultPermissionPolicy,
+ LegacyAttachmentPolicy
+}}}
+
+* [#DefaultWikiPolicyandDefaultTicketPolicy DefaultWikiPolicy] controls readonly access to wiki pages.
+* [#DefaultWikiPolicyandDefaultTicketPolicy DefaultTicketPolicy] provides elevated privileges in the ticket system for authenticated users.
 * !DefaultPermissionPolicy checks for the traditional coarse-grained permissions described in TracPermissions.
 * !LegacyAttachmentPolicy uses the coarse-grained permissions to check permissions on attachments.
 
-Among the optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See
-[trac:source:branches/1.2-stable/tracopt/perm/authz_policy.py authz_policy.py] for details. 
+Among the optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See [trac:source:branches/1.4-stable/tracopt/perm/authz_policy.py authz_policy.py] for details.
 
 Another permission policy [#AuthzSourcePolicy], uses the [http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html path-based authorization] defined by Subversion to enforce permissions on the version control system.
 
-See also [trac:source:branches/1.2-stable/sample-plugins/permissions sample-plugins/permissions] for more examples.
+See also [trac:source:branches/1.4-stable/sample-plugins/permissions sample-plugins/permissions] for more examples.
 
 === !AuthzPolicy
 ==== Configuration
-* Put a [http://swapoff.org/files/authzpolicy.conf conf] file in a secure location on the server, not readable by users other than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used.
+
+* Put an empty conf file (`authzpolicy.conf`) in a secure location on the server, not readable by users other than the webuser. If the file contains non-ASCII characters, the UTF-8 encoding should be used.
 * Update your `trac.ini`:
-  1. modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section:
-{{{#!ini
-[trac]
-permission_policies = AuthzPolicy, ReadonlyWikiPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
+  1. modify the [TracIni#trac-permission_policies-option permission_policies] option in the `[trac]` section:
+{{{#!ini
+[trac]
+permission_policies = AuthzPolicy, DefaultWikiPolicy, DefaultTicketPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
 }}}
   1. add a new `[authz_policy]` section and point the `authz_file` option to the conf file:
@@ -55 +61 @@
 A policy will return either `True`, `False` or `None` for a given permission check. `True` is returned if the policy explicitly grants the permission. `False` is returned if the policy explicitly denies the permission. `None` is returned if the policy is unable to either grant or deny the permission.
 
-NOTE: Only if the return value is `None` will the ''next'' permission policy be consulted. If none of the policies explicitly grants the permission, the final result will be `False`, i.e. permission denied.
+'''Note''': Only if the return value is `None` will the ''next'' permission policy be consulted. If none of the policies explicitly grants the permission, the final result will be `False`, i.e. permission denied.
 
 The `authzpolicy.conf` file is a `.ini` style configuration file:
@@ -88 +94 @@
 * Sections are checked against the current Trac resource descriptor '''IN ORDER''' of appearance in the configuration file. '''ORDER IS CRITICAL'''.
 
-* Once a section matches, the current username is matched against the keys (usernames) of the section, '''IN ORDER'''. 
-  * If a key (username) is prefixed with a `@`, it is treated as a group. 
+* Once a section matches, the current username is matched against the keys (usernames) of the section, '''IN ORDER'''.
+  * If a key (username) is prefixed with a `@`, it is treated as a group.
   * If a value (permission) is prefixed with a `!`, the permission is denied rather than granted.
 
-The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules. || '''Note:''' Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:ticket:5648 #5648] for details about this missing feature. ||
+The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules.
+
+'''Note''': Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:#5648] for details about this missing feature.
 
 For example, if the `authz_file` contains:
@@ -110 +118 @@
 }}}
 
-Then: 
+Then:
   * All versions of WikiStart will be viewable by everybody, including anonymous
   * !PrivatePage will be viewable only by john
@@ -164 +172 @@
 john = BROWSER_VIEW, FILE_VIEW
 
-# John has BROWSER_VIEW and FILE_VIEW access to all revisions of 'somefile' at trunk/src/some/location only 
+# John has BROWSER_VIEW and FILE_VIEW access to all revisions of 'somefile' at trunk/src/some/location only
 [repository:test_repo@*/source:trunk/src/some/location/somefile@*]
 john = BROWSER_VIEW, FILE_VIEW
@@ -176 +184 @@
 
 ==== Missing Features
-Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac:ticket:9573 #9573], [trac:ticket:5648 #5648]). Patches are partially available, see authz_policy.2.patch, part of [trac:ticket:6680 #6680].
+
+Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac:#9573], [trac:#5648]). Patches are partially available, see authz_policy.2.patch, part of [trac:ticket:6680 #6680].
 
 You cannot do the following:
@@ -191 +200 @@
 [groups]
 permission_level_1 = WIKI_VIEW, TICKET_VIEW
-permission_level_2  = permission_level_1, WIKI_MODIFY, TICKET_MODIFY
+permission_level_2 = permission_level_1, WIKI_MODIFY, TICKET_MODIFY
 [*]
 @team1 = permission_level_1
@@ -198 +207 @@
 }}}
 
-=== !AuthzSourcePolicy  (mod_authz_svn-like permission policy) #AuthzSourcePolicy
-
-`AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's mod_authz_svn. 
+=== !AuthzSourcePolicy (`mod_authz_svn`-like permission policy) #AuthzSourcePolicy
+
+`AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's `mod_authz_svn`.
 More information about this file format and about its usage in Subversion is available in the [http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html Path-Based Authorization] section in the Server Configuration chapter of the svn book.
 
@@ -243 +252 @@
 ...
 [repositories]
-somemodule.dir = /srv/active/svn/somemodule 
+somemodule.dir = /srv/active/svn/somemodule
 }}}
 
 where the svn access file, {{{/path/to/svnaccessfile}}}, contains entries such as {{{[somemodule:/some/path]}}}.
 
-'''Note:''' Usernames inside the Authz file __must__ be the same as those used inside trac. 
-
-As of version 0.12, make sure you have ''!AuthzSourcePolicy'' included in the permission_policies list in trac.ini, otherwise the authz permissions file will be ignored.
-
-{{{#!ini
-[trac]
-permission_policies = AuthzSourcePolicy, ReadonlyWikiPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
+'''Note:''' Usernames inside the Authz file __must__ be the same as those used inside trac.
+
+Make sure you have ''!AuthzSourcePolicy'' included in the permission_policies list in trac.ini, otherwise the authz permissions file will be ignored.
+
+{{{#!ini
+[trac]
+permission_policies = AuthzSourcePolicy, DefaultWikiPolicy, DefaultTicketPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
 }}}
 
@@ -272 +281 @@
 For information about how to restrict access to entire projects in a multiple project environment see [trac:wiki:TracMultipleProjectsSVNAccess].
 
-=== ReadonlyWikiPolicy
-
-Since 1.1.2, the read-only attribute of wiki pages is enabled and enforced when `ReadonlyWikiPolicy` is in the list of active permission policies. The default for new Trac installations in 1.1.2 and later is:
-{{{
-[trac]
-permission_policies = ReadonlyWikiPolicy,
+=== !DefaultWikiPolicy and !DefaultTicketPolicy
+
+Since 1.1.2, the read-only attribute of wiki pages is enabled and enforced when `DefaultWikiPolicy` is in the list of active permission policies (`DefaultWikiPolicy` was named `ReadonlyWikiPolicy` from Trac 1.1.2 to 1.3.1). The default for new Trac installations in 1.3.2 and later is:
+{{{#!ini
+[trac]
+permission_policies = DefaultWikiPolicy,
+ DefaultTicketPolicy,
  DefaultPermissionPolicy,
  LegacyAttachmentPolicy
 }}}
 
-When upgrading from earlier versions of Trac, `ReadonlyWikiPolicy` will be appended to the list of `permission_policies` when upgrading the environment, provided that `permission_policies` has the default value. If any non-default `permission_polices` are active, `ReadonlyWikiPolicy` **will need to be manually added** to the list. A message will be echoed to the console when upgrading the environment, indicating if any action needs to be taken.
-
-**!ReadonlyWikiPolicy must be listed //before// !DefaultPermissionPolicy**. The latter returns `True` to allow modify, delete or rename actions when the user has the respective `WIKI_*` permission, without consideration for the read-only attribute.
-
-The `ReadonlyWikiPolicy` returns `False` to deny modify, delete and rename actions on wiki pages when the page has the read-only attribute set and the user does not have `WIKI_ADMIN`, regardless of `WIKI_MODIFY`, `WIKI_DELETE` and `WIKI_RENAME` permissions. It returns `None` for all other cases.
-
-When active, the [#AuthzPolicy] should therefore come before `ReadonlyWikiPolicy`, allowing it to grant or deny the actions on individual resources, which is the usual ordering for `AuthzPolicy` in the `permission_policies` list.
-{{{
+`DefaultWikiPolicy` returns `False` to deny modify, delete and rename actions on wiki pages when the page has the read-only attribute set and the user does not have `WIKI_ADMIN`, regardless of `WIKI_MODIFY`, `WIKI_DELETE` and `WIKI_RENAME` permissions. It returns `None` for all other cases, which causes the next permission policy in the list to be consulted.
+
+Since 1.3.2 `DefaultTicketPolicy` implements the following behaviors:
+* Authenticated user can edit their own comments.
+* Authenticated user with `TICKET_APPEND` or `TICKET_CHGPROP` can modify the description of a ticket they reported.
+* User with `MILESTONE_VIEW` can change  the ticket milestone.
+
+The wiki- and ticket-specific behaviors are implemented in permission policies so they can be easily replaced in case other behavior is desired.
+
+When upgrading from earlier versions of Trac, `DefaultWikiPolicy, DefaultTicketPolicy` will be appended to the list of `permission_policies` when upgrading the environment, provided that `permission_policies` has the default value (`ReadonlyWikiPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy` if upgrading from Trac 1.1.2 or later). If any non-default `permission_polices` are active, `DefaultWikiPolicy, DefaultTicketPolicy` **will need to be manually added** to the list. A message will be echoed to the console when upgrading the environment, indicating if any action needs to be taken.
+
+**!DefaultWikiPolicy and !DefaultTicketPolicy must be listed //before// !DefaultPermissionPolicy**. The latter returns `True` to allow modify, delete or rename actions when the user has the respective `WIKI_*` permission, without consideration for the read-only attribute. Similarly, some of the behaviors implemented in `DefaultTicketPolicy` won't be considered if `DefaultPermissionPolicy` is executed first.
+
+When active, the [#AuthzPolicy] should therefore come before `DefaultWikiPolicy, DefaultTicketPolicy`, allowing it to grant or deny the actions on individual resources, which is the usual ordering for `AuthzPolicy` in the `permission_policies` list.
+{{{#!ini
 [trac]
 permission_policies = AuthzPolicy,
- ReadonlyWikiPolicy,
+ DefaultWikiPolicy,
+ DefaultTicketPolicy,
  DefaultPermissionPolicy,
  LegacyAttachmentPolicy
 }}}
 
-The placement of [#AuthzSourcePolicy] relative to `ReadonlyWikiPolicy` does not matter since they don't perform checks on the same realms.
-
-For all other permission policies, the user will need to decide the proper ordering. Generally, if the permission policy should be capable of overriding the check performed by `ReadonlyWikiPolicy`, it should come before `ReadonlyWikiPolicy` in the list. If the `ReadonlyWikiPolicy` should override the check performed by another permission policy, as is the case for `DefaultPermissionPolicy`, then `ReadonlyWikiPolicy` should come first.
+The placement of [#AuthzSourcePolicy] relative to `DefaultWikiPolicy, DefaultTicketPolicy` does not matter since they don't perform checks on the same realms.
+
+For all other permission policies, the user will need to decide the proper ordering. Generally, if the permission policy should be capable of overriding the checks performed by `DefaultWikiPolicy` or `DefaultTicketPolicy`, it should come before the policy it overrides. If `DefaultWikiPolicy` or `DefaultTicketPolicy` should override the check performed by another permission policy, as is the case for those policies relative to `DefaultPermissionPolicy`, then the overriding policy should come first.
 
 == Debugging permissions
+
 In trac.ini set:
 {{{#!ini
@@ -319 +338 @@
 ----
 See also: TracPermissions,
-[http://trac-hacks.org/wiki/FineGrainedPageAuthzEditorPlugin TracHacks:FineGrainedPageAuthzEditorPlugin] for a simple editor plugin.
+[https://trac-hacks.org/wiki/FineGrainedPageAuthzEditorPlugin FineGrainedPageAuthzEditorPlugin] for a simple editor.