close
Warning:
Error with navigation contributor "LoginModule"
- Timestamp:
-
Sep 16, 2012, 8:09:46 PM (12 years ago)
- Author:
-
trac
- Comment:
-
--
Legend:
- Unmodified
- Added
- Removed
- Modified
-
|
v3
|
v4
|
|
| | 1 | [[PageOutline(2-5, Contents, floated)]] |
| 1 | 2 | = Fine grained permissions = |
| 2 | 3 | |
| … |
… |
|
| 31 | 32 | ==== Configuration ==== |
| 32 | 33 | * Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (still needed for 0.12). |
| 33 | | * Copy authz_policy.py into your plugins directory |
| | 34 | * Copy authz_policy.py into your plugins directory (only for Trac 0.11). |
| 34 | 35 | * Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the file contains non-ASCII characters, the UTF-8 encoding should be used. |
| 35 | 36 | * Update your `trac.ini`: |
| … |
… |
|
| 40 | 41 | permission_policies = AuthzPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy |
| 41 | 42 | }}} |
| 42 | | 2. add a new `[authz_policy]` section |
| | 43 | 1. add a new `[authz_policy]` section |
| 43 | 44 | {{{ |
| 44 | 45 | [authz_policy] |
| 45 | 46 | authz_file = /some/trac/env/conf/authzpolicy.conf |
| 46 | 47 | }}} |
| 47 | | 3. enable the single file plugin |
| | 48 | 1. enable the plugin through [/admin/general/plugin WebAdmin] or by editing the `[components]` section |
| 48 | 49 | {{{ |
| 49 | 50 | [components] |
| … |
… |
|
| 54 | 55 | #authz_policy.* = enabled |
| 55 | 56 | }}} |
| | 57 | |
| | 58 | |
| 56 | 59 | ==== Usage Notes ==== |
| 57 | 60 | Note that the order in which permission policies are specified is quite critical, |
| … |
… |
|
| 107 | 110 | denied rather than granted. |
| 108 | 111 | |
| 109 | | The username will match any of 'anonymous', |
| 110 | | 'authenticated', <username> or '*', using normal Trac permission rules. |
| | 112 | The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules. || '''Note:''' Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:ticket:5648 #5648] for details about this missing feature || |
| 111 | 113 | |
| 112 | 114 | For example, if the `authz_file` contains: |
| … |
… |
|
| 190 | 192 | |
| 191 | 193 | |
| | 194 | ==== Missing Features ==== |
| | 195 | Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac:ticket:9573 #9573], [trac:ticket:5648 #5648]). Patches are partially available, see forgotten authz_policy.2.patch part of [trac:ticket:6680 #6680]). |
| | 196 | |
| | 197 | You cannot do the following: |
| | 198 | {{{ |
| | 199 | [groups] |
| | 200 | team1 = a, b, c |
| | 201 | team2 = d, e, f |
| | 202 | team3 = g, h, i |
| | 203 | departmentA = team1, team2 |
| | 204 | }}} |
| | 205 | |
| | 206 | Permission groups are not supported either. You cannot do the following: |
| | 207 | {{{ |
| | 208 | [groups] |
| | 209 | permission_level_1 = WIKI_VIEW, TICKET_VIEW |
| | 210 | permission_level_2 = permission_level_1, WIKI_MODIFY, TICKET_MODIFY |
| | 211 | [*] |
| | 212 | @team1 = permission_level_1 |
| | 213 | @team2 = permission_level_2 |
| | 214 | @team3 = permission_level_2, TICKET_CREATE |
| | 215 | }}} |
| | 216 | |
| 192 | 217 | === !AuthzSourcePolicy (mod_authz_svn-like permission policy) === #AuthzSourcePolicy |
| 193 | 218 | |
