trac.perm – the Trac permission system

Interfaces

class trac.perm.IPermissionRequestor

Bases: trac.core.Interface

Extension point interface for components that define actions.

get_permission_actions()

Return a list of actions defined by this component.

The items in the list may either be simple strings, or (string, sequence) tuples. The latter are considered to be “meta permissions” that group several simple actions under one name for convenience, adding to it if another component already defined that name.

class trac.perm.IPermissionStore

Bases: trac.core.Interface

Extension point interface for components that provide storage and management of permissions.

get_all_permissions()

Return all permissions for all users.

The permissions are returned as a list of (subject, action) formatted tuples.

get_user_permissions(username)

Return all permissions for the user with the specified name.

The permissions are returned as a dictionary where the key is the name of the permission, and the value is either True for granted permissions or False for explicitly denied permissions.

get_users_with_permissions(permissions)

Retrieve a list of users that have any of the specified permissions.

Users are returned as a list of usernames.

grant_permission(username, action)

Grant a user permission to perform an action.

revoke_permission(username, action)

Revokes the permission of the given user to perform an action.

class trac.perm.IPermissionGroupProvider

Bases: trac.core.Interface

Extension point interface for components that provide information about user groups.

get_permission_groups(username)

Return a list of names of the groups that the user with the specified name is a member of.

class trac.perm.IPermissionPolicy

Bases: trac.core.Interface

A security policy provider used for fine grained permission checks.

check_permission(action, username, resource, perm)

Check that the action can be performed by username on the resource

Parameters:
  • action – the name of the permission
  • username – the username string or ‘anonymous’ if there’s no authenticated user
  • resource – the resource on which the check applies. Will be None, if the check is a global one and not made on a resource in particular
  • perm – the permission cache for that username and resource, which can be used for doing secondary checks on other permissions. Care must be taken to avoid recursion.
Returns:

True if action is allowed, False if action is denied, or None if indifferent. If None is returned, the next policy in the chain will be used, and so on.

Note that when checking a permission on a realm resource (i.e. when id is None), this usually corresponds to some preliminary check done before making a fine-grained check on some resource. Therefore the IPermissionPolicy should be conservative and return:

  • True if the action can be allowed for some resources in that realm. Later, for specific resource, the policy will be able to return True (allow), False (deny) or None (don’t decide).
  • None if the action can not be performed for some resources. This corresponds to situation where the policy is only interested in returning False or None on specific resources.
  • False if the action can not be performed for any resource in that realm (that’s a very strong decision as that will usually prevent any fine-grained check to even happen).

Note that performing permission checks on realm resources may seem redundant for now as the action name itself contains the realm, but this will probably change in the future (e.g. 'VIEW' in ...).

Components

class trac.perm.PermissionSystem

Bases: trac.core.Component

Permission management sub-system.

check_permission(action, username=None, resource=None, perm=None)

Return True if permission to perform action for the given resource is allowed.

expand_actions(actions)

Helper method for expanding all meta actions.

get_actions(skip=None)

Get a list of all actions defined by permission requestors.

get_actions_dict()

Get all actions from permission requestors as a dict.

The keys are the action names. The values are the additional actions granted by each action. For simple actions, this is an empty list. For meta actions, this is the list of actions covered by the action.

get_all_permissions()

Return all permissions for all users.

The permissions are returned as a list of (subject, action) formatted tuples.

get_groups_dict()

Get all groups as a dict.

The keys are the group names. The values are the group members.

Since:1.1.3
get_permission_actions()

Implement the global TRAC_ADMIN meta permission.

get_user_permissions(username=None, undefined=False)

Return the permissions of the specified user.

The return value is a dictionary containing all the actions granted to the user mapped to True.

Parameters:undefined – if True, include actions that are not defined.
Since 1.3.1:added the undefined parameter.
get_users_dict()

Get all users as a dict.

The keys are the user names. The values are the actions possessed by the user.

Since:1.1.3
get_users_with_permission(permission)

Return all users that have the specified permission.

Users are returned as a list of user names.

grant_permission(username, action)

Grant the user with the given name permission to perform to specified action.

Raises:PermissionExistsError – if user already has the permission or is a member of the group.
Since 1.3.1:raises PermissionExistsError rather than IntegrityError
policies

List of components implementing IPermissionPolicy, in the order in which they will be applied. These components manage fine-grained access control to Trac resources.

requestors

List of components that implement IPermissionRequestor

revoke_permission(username, action)

Revokes the permission of the specified user to perform an action.

store

Name of the component implementing IPermissionStore, which is used for managing user and group permissions.

class trac.perm.DefaultPermissionGroupProvider

Bases: trac.core.Component

Permission group provider providing the basic builtin permission groups ‘anonymous’ and ‘authenticated’.

class trac.perm.DefaultPermissionPolicy

Bases: trac.core.Component

Default permission policy using the IPermissionStore system.

class trac.perm.DefaultPermissionStore

Bases: trac.core.Component

Default implementation of permission storage and group management.

This component uses the permission table in the database to store both permissions and groups.

get_all_permissions()

Return all permissions for all users.

The permissions are returned as a list of (subject, action) formatted tuples.

get_user_permissions(username)

Retrieve a list of permissions for the given user.

The permissions are stored in the database as (username, action) records. There’s simple support for groups by using lowercase names for the action column: such a record represents a group and not an actual permission, and declares that the user is part of that group.

get_users_with_permissions(permissions)

Retrieve a list of users that have any of the specified permissions

Users are returned as a list of usernames.

grant_permission(username, action)

Grants a user the permission to perform the specified action.

group_providers

List of components that implement IPermissionGroupProvider

revoke_permission(username, action)

Revokes a users’ permission to perform the specified action.

class trac.perm.PermissionAdmin

Bases: trac.core.Component

trac-admin command provider for permission system administration.

Exceptions

exception trac.perm.PermissionError(action=None, resource=None, env=None, msg=None)

Bases: exceptions.StandardError, trac.core.TracBaseError

Insufficient permissions to perform the operation.

exception trac.perm.PermissionExistsError(message, title=None, show_traceback=False)

Bases: trac.core.TracError

Thrown when a unique key constraint is violated.

If message is an Element object, everything up to the first <p> will be displayed in the red box, and everything after will be displayed below the red box. If title is given, it will be displayed as the large header above the error message.

Miscellaneous

class trac.perm.PermissionCache(env, username=None, resource=None, cache=None, groups=None)

Bases: object

Cache that maintains the permissions of a single user.

Permissions are usually checked using the following syntax:

‘WIKI_MODIFY’ in perm

One can also apply more fine grained permission checks and specify a specific resource for which the permission should be available:

‘WIKI_MODIFY’ in perm(‘wiki’, ‘WikiStart’)

If there’s already a page object available, the check is simply:

‘WIKI_MODIFY’ in perm(page.resource)

If instead of a check, one wants to assert that a given permission is available, the following form should be used:

perm.require(‘WIKI_MODIFY’)

or

perm(‘wiki’, ‘WikiStart’).require(‘WIKI_MODIFY’)

or

perm(page.resource).require(‘WIKI_MODIFY’)

When using require, a PermissionError exception is raised if the permission is missing.