Fine grained permissions

[anonymous]

We should (somehow) support more fine grained access control, a'la mod_authz_svn.

In fact, the configuration file format for authz is trivial, if not even directly compatible with python's configfile parser... We could maybe use that directly, that'd be quite easy to set up.

• http://thread.gmane.org/gmane.comp.version-control.subversion.trac.general/35
• http://svnbook.red-bean.com/book.html#svn-ch-6-sect-4.4.2
• http://svn.collab.net/viewcvs/svn/trunk/subversion/mod_authz_svn/

[ben]

i just wanted to add that this missing feature can be a real showstopper. we're using subversion as a service for computer science projects or bachelor/master thesises at my university and these get stored in one repository with usage of mod_authz for fine grained permissions. the problem is not the browser itself which could certainly have some kind of access control via apache, but with the changesets in the timeline this is simply not possible. this way it is possible to look into source codes or thesises without having the proper permission. as a result it is not possible to use trac in a configuration like we have which is really a pity!

[anonymous]

Not to mention if you are using it commercially.... Let's just say all the beneifts of providing external access to this cool tool would be much more than negated. This is the only showstopper I see so far, to our usage.

[utopiste]

For more information about this feature consult the FineGrainedPermissions page

[utopiste]

Oops... Trac detected an internal error: authz read privileges required to view this file

wouhou :) (ok currently only in File.py, but it's a beginning)

Primary release in few day

[Utopiste]

First patch for mod_authz support

[jonas]

Cool, I'm looking forward to this feature.

[jonas]

Duh, just noticed your patch. It looks nice, is this something you would like to have merged into trunk right now?

[utopiste]

work on trunk, initial changeset support

[utopiste]

Initial changeset support

work on the latest trunk

[jonas]

Great work, moving this to 0.8

[jonas]

Patch merged into trunk.

A few comments:

• It looks like the current authzperm.py only support sections of the format [repos-name:/path] and not [/path].
• authz_file option in trac.ini should support relative filenames (relative to the env directory)
• Should authz limit directory browser access as well?
• It might be a good idea to load/parse the file when it's modified and not on every request. But ConfigParser? might be fast enough for us...

[MishaS]

I am checking trunk version of trac and it looks like the module does not seem to support authz groups.

[pbaker@…]

I have set up an authz access file for my trac installation and this feature does not seem to work. Nothing is logged to the trac.log about it. You should add some logging for when this feature is detected and used. That would really help out.

[daniel]

Should this be included in 0.8, or should we roll back the work so far and push it til 0.9?

How much work is still needed on this?

[utopiste]

one limitation fixed in [967]

It looks like the current authzperm.py only support sections of the format [repos-name:/path] and not [/path].

if no authz_module_name= config in the IniFile? we use /path style section

[utopiste]

This feature can be used in the 0.8 release. i changed the milestone date to 0.9 because i have some more work to put inside this features (think group support and ACL caching) and i dont want to close this ticket.

FineGrainedPermissions was also updated to reflect this.

[utopiste]

initial Browser.py support in [968]

[utopiste]

with the last patch, should be enough stable to be used in the next version of trac