trac.perm
– the Trac permission system¶
Interfaces¶
-
class
trac.perm.
IPermissionRequestor
¶ Bases:
trac.core.Interface
Extension point interface for components that define actions.
-
get_permission_actions
()¶ Return a list of actions defined by this component.
The items in the list may either be simple strings, or
(string, sequence)
tuples. The latter are considered to be “meta permissions” that group several simple actions under one name for convenience, adding to it if another component already defined that name.
-
-
class
trac.perm.
IPermissionStore
¶ Bases:
trac.core.Interface
Extension point interface for components that provide storage and management of permissions.
-
get_all_permissions
()¶ Return all permissions for all users.
The permissions are returned as a list of (subject, action) formatted tuples.
-
get_user_permissions
(username)¶ Return all permissions for the user with the specified name.
The permissions are returned as a dictionary where the key is the name of the permission, and the value is either
True
for granted permissions orFalse
for explicitly denied permissions.
-
get_users_with_permissions
(permissions)¶ Retrieve a list of users that have any of the specified permissions.
Users are returned as a list of usernames.
-
grant_permission
(username, action)¶ Grant a user permission to perform an action.
-
revoke_permission
(username, action)¶ Revokes the permission of the given user to perform an action.
-
-
class
trac.perm.
IPermissionGroupProvider
¶ Bases:
trac.core.Interface
Extension point interface for components that provide information about user groups.
-
get_permission_groups
(username)¶ Return a list of names of the groups that the user with the specified name is a member of.
-
-
class
trac.perm.
IPermissionPolicy
¶ Bases:
trac.core.Interface
A security policy provider used for fine grained permission checks.
-
check_permission
(action, username, resource, perm)¶ Check that the action can be performed by username on the resource
Parameters: - action – the name of the permission
- username – the username string or ‘anonymous’ if there’s no authenticated user
- resource – the resource on which the check applies.
Will be
None
, if the check is a global one and not made on a resource in particular - perm – the permission cache for that username and resource, which can be used for doing secondary checks on other permissions. Care must be taken to avoid recursion.
Returns: True
if action is allowed,False
if action is denied, orNone
if indifferent. IfNone
is returned, the next policy in the chain will be used, and so on.Note that when checking a permission on a realm resource (i.e. when
id
isNone
), this usually corresponds to some preliminary check done before making a fine-grained check on some resource. Therefore theIPermissionPolicy
should be conservative and return:True
if the action can be allowed for some resources in that realm. Later, for specific resource, the policy will be able to returnTrue
(allow),False
(deny) orNone
(don’t decide).None
if the action can not be performed for some resources. This corresponds to situation where the policy is only interested in returningFalse
orNone
on specific resources.False
if the action can not be performed for any resource in that realm (that’s a very strong decision as that will usually prevent any fine-grained check to even happen).
Note that performing permission checks on realm resources may seem redundant for now as the action name itself contains the realm, but this will probably change in the future (e.g.
'VIEW' in ...
).
-
Components¶
-
class
trac.perm.
PermissionSystem
¶ Bases:
trac.core.Component
Permission management sub-system.
-
check_permission
(action, username=None, resource=None, perm=None)¶ Return True if permission to perform action for the given resource is allowed.
-
expand_actions
(actions)¶ Helper method for expanding all meta actions.
-
get_actions
(skip=None)¶ Get a list of all actions defined by permission requestors.
-
get_actions_dict
()¶ Get all actions from permission requestors as a
dict
.The keys are the action names. The values are the additional actions granted by each action. For simple actions, this is an empty list. For meta actions, this is the list of actions covered by the action.
-
get_all_permissions
()¶ Return all permissions for all users.
The permissions are returned as a list of (subject, action) formatted tuples.
-
get_groups_dict
()¶ Get all groups as a
dict
.The keys are the group names. The values are the group members.
Since: 1.1.3
-
get_permission_actions
()¶ Implement the global
TRAC_ADMIN
meta permission.
-
get_user_permissions
(username=None, undefined=False)¶ Return the permissions of the specified user.
The return value is a dictionary containing all the actions granted to the user mapped to
True
.Parameters: undefined – if True
, include actions that are not defined.Since 1.3.1: added the undefined
parameter.
-
get_users_dict
()¶ Get all users as a
dict
.The keys are the user names. The values are the actions possessed by the user.
Since: 1.1.3
-
get_users_with_permission
(permission)¶ Return all users that have the specified permission.
Users are returned as a list of user names.
-
grant_permission
(username, action)¶ Grant the user with the given name permission to perform to specified action.
Raises: PermissionExistsError – if user already has the permission or is a member of the group. Since 1.3.1: raises PermissionExistsError rather than IntegrityError
-
policies
¶ List of components implementing
IPermissionPolicy
, in the order in which they will be applied. These components manage fine-grained access control to Trac resources.
-
requestors
¶ List of components that implement
IPermissionRequestor
-
revoke_permission
(username, action)¶ Revokes the permission of the specified user to perform an action.
-
store
¶ Name of the component implementing
IPermissionStore
, which is used for managing user and group permissions.
-
-
class
trac.perm.
DefaultPermissionGroupProvider
¶ Bases:
trac.core.Component
Permission group provider providing the basic builtin permission groups ‘anonymous’ and ‘authenticated’.
-
class
trac.perm.
DefaultPermissionPolicy
¶ Bases:
trac.core.Component
Default permission policy using the IPermissionStore system.
-
class
trac.perm.
DefaultPermissionStore
¶ Bases:
trac.core.Component
Default implementation of permission storage and group management.
This component uses the
permission
table in the database to store both permissions and groups.-
get_all_permissions
()¶ Return all permissions for all users.
The permissions are returned as a list of (subject, action) formatted tuples.
-
get_user_permissions
(username)¶ Retrieve a list of permissions for the given user.
The permissions are stored in the database as (username, action) records. There’s simple support for groups by using lowercase names for the action column: such a record represents a group and not an actual permission, and declares that the user is part of that group.
-
get_users_with_permissions
(permissions)¶ Retrieve a list of users that have any of the specified permissions
Users are returned as a list of usernames.
-
grant_permission
(username, action)¶ Grants a user the permission to perform the specified action.
-
group_providers
¶ List of components that implement
IPermissionGroupProvider
-
revoke_permission
(username, action)¶ Revokes a users’ permission to perform the specified action.
-
-
class
trac.perm.
PermissionAdmin
¶ Bases:
trac.core.Component
trac-admin command provider for permission system administration.
Exceptions¶
-
exception
trac.perm.
PermissionError
(action=None, resource=None, env=None, msg=None)¶ Bases:
exceptions.StandardError
,trac.core.TracBaseError
Insufficient permissions to perform the operation.
-
exception
trac.perm.
PermissionExistsError
(message, title=None, show_traceback=False)¶ Bases:
trac.core.TracError
Thrown when a unique key constraint is violated.
If message is an Element object, everything up to the first <p> will be displayed in the red box, and everything after will be displayed below the red box. If title is given, it will be displayed as the large header above the error message.
Miscellaneous¶
-
class
trac.perm.
PermissionCache
(env, username=None, resource=None, cache=None, groups=None)¶ Bases:
object
Cache that maintains the permissions of a single user.
Permissions are usually checked using the following syntax:
‘WIKI_MODIFY’ in permOne can also apply more fine grained permission checks and specify a specific resource for which the permission should be available:
‘WIKI_MODIFY’ in perm(‘wiki’, ‘WikiStart’)If there’s already a
page
object available, the check is simply:‘WIKI_MODIFY’ in perm(page.resource)If instead of a check, one wants to assert that a given permission is available, the following form should be used:
perm.require(‘WIKI_MODIFY’)
or
perm(‘wiki’, ‘WikiStart’).require(‘WIKI_MODIFY’)
or
perm(page.resource).require(‘WIKI_MODIFY’)
When using
require
, aPermissionError
exception is raised if the permission is missing.