close
Warning:
Error with navigation contributor "LoginModule"
- Timestamp:
-
Sep 16, 2012, 8:09:46 PM (12 years ago)
- Author:
-
trac
- Comment:
-
--
Legend:
- Unmodified
- Added
- Removed
- Modified
-
v3
|
v4
|
|
| 1 | [[PageOutline(2-5, Contents, floated)]] |
1 | 2 | = Fine grained permissions = |
2 | 3 | |
… |
… |
|
31 | 32 | ==== Configuration ==== |
32 | 33 | * Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (still needed for 0.12). |
33 | | * Copy authz_policy.py into your plugins directory. |
| 34 | * Copy authz_policy.py into your plugins directory (only for Trac 0.11). |
34 | 35 | * Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the file contains non-ASCII characters, the UTF-8 encoding should be used. |
35 | 36 | * Update your `trac.ini`: |
… |
… |
|
40 | 41 | permission_policies = AuthzPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy |
41 | 42 | }}} |
42 | | 2. add a new `[authz_policy]` section |
| 43 | 1. add a new `[authz_policy]` section |
43 | 44 | {{{ |
44 | 45 | [authz_policy] |
45 | 46 | authz_file = /some/trac/env/conf/authzpolicy.conf |
46 | 47 | }}} |
47 | | 3. enable the single file plugin |
| 48 | 1. enable the plugin through [/admin/general/plugin WebAdmin] or by editing the `[components]` section |
48 | 49 | {{{ |
49 | 50 | [components] |
… |
… |
|
54 | 55 | #authz_policy.* = enabled |
55 | 56 | }}} |
| 57 | |
| 58 | |
56 | 59 | ==== Usage Notes ==== |
57 | 60 | Note that the order in which permission policies are specified is quite critical, |
… |
… |
|
107 | 110 | denied rather than granted. |
108 | 111 | |
109 | | The username will match any of 'anonymous', |
110 | | 'authenticated', <username> or '*', using normal Trac permission rules. |
| 112 | The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules. || '''Note:''' Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:ticket:5648 #5648] for details about this missing feature || |
111 | 113 | |
112 | 114 | For example, if the `authz_file` contains: |
… |
… |
|
190 | 192 | |
191 | 193 | |
| 194 | ==== Missing Features ==== |
| 195 | Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac:ticket:9573 #9573], [trac:ticket:5648 #5648]). Patches are partially available, see forgotten authz_policy.2.patch part of [trac:ticket:6680 #6680]). |
| 196 | |
| 197 | You cannot do the following: |
| 198 | {{{ |
| 199 | [groups] |
| 200 | team1 = a, b, c |
| 201 | team2 = d, e, f |
| 202 | team3 = g, h, i |
| 203 | departmentA = team1, team2 |
| 204 | }}} |
| 205 | |
| 206 | Permission groups are not supported either. You cannot do the following: |
| 207 | {{{ |
| 208 | [groups] |
| 209 | permission_level_1 = WIKI_VIEW, TICKET_VIEW |
| 210 | permission_level_2 = permission_level_1, WIKI_MODIFY, TICKET_MODIFY |
| 211 | [*] |
| 212 | @team1 = permission_level_1 |
| 213 | @team2 = permission_level_2 |
| 214 | @team3 = permission_level_2, TICKET_CREATE |
| 215 | }}} |
| 216 | |
192 | 217 | === !AuthzSourcePolicy (mod_authz_svn-like permission policy) === #AuthzSourcePolicy |
193 | 218 | |