tracopt.perm.authz_policy

class tracopt.perm.authz_policy.AuthzPolicy

Bases: trac.core.Component

Permission policy using an authz-like configuration file.

Refer to SVN documentation for syntax of the authz file. Groups are supported.

As the fine-grained permissions brought by this permission policy are often used in complement of the other permission policies (like the DefaultPermissionPolicy), there’s no need to redefine all the permissions here. Only additional rights or restrictions should be added.

=== Installation === Enabling this policy requires listing it in trac.ini:

{{{
[trac]
permission_policies = AuthzPolicy, DefaultPermissionPolicy

[authz_policy]
authz_file = conf/authzpolicy.conf
}}}

This means that the AuthzPolicy permissions will be checked first, and only if no rule is found will the DefaultPermissionPolicy be used.

=== Configuration === The authzpolicy.conf file is a ini style configuration file.

  • Each section of the config is a glob pattern used to match against a Trac resource descriptor. These descriptors are in the form:

    {{{
<realm>:<id>@<version>[/<realm>:<id>@<version> ...]
}}}

    Resources are ordered left to right, from parent to child. If any component is inapplicable, * is substituted. If the version pattern is not specified explicitely, all versions (@*) is added implicitly

    Example: Match the WikiStart page:

    {{{
[wiki:*]
[wiki:WikiStart*]
[wiki:WikiStart@*]
[wiki:WikiStart]
}}}

    Example: Match the attachment wiki:WikiStart@117/attachment/FOO.JPG@* on WikiStart:

    {{{
[wiki:*]
[wiki:WikiStart*]
[wiki:WikiStart@*]
[wiki:WikiStart@*/attachment/*]
[wiki:WikiStart@117/attachment/FOO.JPG]
}}}

  • Sections are checked against the current Trac resource ‘’‘IN ORDER’‘’ of appearance in the configuration file. ‘’‘ORDER IS CRITICAL’‘’.

  • Once a section matches, the current username is matched, ‘’‘IN ORDER’‘’, against the keys of the section. If a key is prefixed with a @, it is treated as a group. If a key is prefixed with a , the permission is denied rather than granted. The username will match any of ‘anonymous’, ‘authenticated’, <username> or ‘*’, using normal Trac permission rules.

Example configuration:

{{{
[groups]
administrators = athomas

[*/attachment:*]
* = WIKI_VIEW, TICKET_VIEW

[wiki:WikiStart@*]
@administrators = WIKI_ADMIN
anonymous = WIKI_VIEW
* = WIKI_VIEW

# Deny access to page templates
[wiki:PageTemplates/*]
* =

# Match everything else
[*]
@administrators = TRAC_ADMIN
anonymous = BROWSER_VIEW, CHANGESET_VIEW, FILE_VIEW, LOG_VIEW,
    MILESTONE_VIEW, POLL_VIEW, REPORT_SQL_VIEW, REPORT_VIEW,
    ROADMAP_VIEW, SEARCH_VIEW, TICKET_CREATE, TICKET_MODIFY,
    TICKET_VIEW, TIMELINE_VIEW,
    WIKI_CREATE, WIKI_MODIFY, WIKI_VIEW
# Give authenticated users some extra permissions
authenticated = REPO_SEARCH, XML_RPC
}}}
authz_file

Location of authz policy configuration file. Non-absolute paths are relative to the Environment conf directory.