Class AuthzPolicy
source code
object --+
|
trac.core.Component --+
|
AuthzPolicy
Permission policy using an authz-like configuration file.
Refer to SVN documentation for syntax of the authz file. Groups are
supported.
As the fine-grained permissions brought by this permission policy are
often used in complement of the other permission policies (like the
DefaultPermissionPolicy), there's no need to redefine all the
permissions here. Only additional rights or restrictions should be added.
=== Installation ===
Enabling this policy requires listing it in trac.ini:
{{{
[trac]
permission_policies = AuthzPolicy, DefaultPermissionPolicy
[authz_policy]
authz_file = conf/authzpolicy.conf
}}}
This means that the AuthzPolicy permissions will be checked first, and
only if no rule is found will the DefaultPermissionPolicy be used.
=== Configuration ===
The authzpolicy.conf file is a .ini style configuration file.
Each section of the config is a glob pattern used to match against a
Trac resource descriptor. These descriptors are in the form:
{{{
<realm>:<id>@<version>[/<realm>:<id>@<version> ...]
}}}
Resources are ordered left to right, from parent to child. If any
component is inapplicable, * is substituted. If the version pattern is
not specified explicitely, all versions (@*) is added implicitly
Example: Match the WikiStart page:
{{{
[wiki:*]
[wiki:WikiStart*]
[wiki:WikiStart@*]
[wiki:WikiStart]
}}}
Example: Match the attachment
wiki:WikiStart@117/attachment/FOO.JPG@* on WikiStart:
{{{
[wiki:*]
[wiki:WikiStart*]
[wiki:WikiStart@*]
[wiki:WikiStart@*/attachment/*]
[wiki:WikiStart@117/attachment/FOO.JPG]
}}}
Sections are checked against the current Trac resource '''IN ORDER''' of
appearance in the configuration file. '''ORDER IS CRITICAL'''.
Once a section matches, the current username is matched, '''IN ORDER''',
against the keys of the section. If a key is prefixed with a @, it is
treated as a group. If a key is prefixed with a !, the permission is
denied rather than granted. The username will match any of 'anonymous',
'authenticated', <username> or '*', using normal Trac permission rules.
Example configuration:
{{{
[groups]
administrators = athomas
[*/attachment:*]
* = WIKI_VIEW, TICKET_VIEW
[wiki:WikiStart@*]
@administrators = WIKI_ADMIN
anonymous = WIKI_VIEW
* = WIKI_VIEW
# Deny access to page templates
[wiki:PageTemplates/*]
* =
# Match everything else
[*]
@administrators = TRAC_ADMIN
anonymous = BROWSER_VIEW, CHANGESET_VIEW, FILE_VIEW, LOG_VIEW,
MILESTONE_VIEW, POLL_VIEW, REPORT_SQL_VIEW, REPORT_VIEW,
ROADMAP_VIEW, SEARCH_VIEW, TICKET_CREATE, TICKET_MODIFY,
TICKET_VIEW, TIMELINE_VIEW,
WIKI_CREATE, WIKI_MODIFY, WIKI_VIEW
# Give authenticated users some extra permissions
authenticated = REPO_SEARCH, XML_RPC
}}}
|
|
|
|
|
| check_permission(self,
action,
username,
resource,
perm) |
source code
|
|
|
|
|
|
|
|
|
|
| authz_permissions(self,
resource_key,
username) |
source code
|
|
|
Inherited from trac.core.Component:
__repr__
Inherited from object:
__delattr__,
__format__,
__getattribute__,
__hash__,
__new__,
__reduce__,
__reduce_ex__,
__setattr__,
__sizeof__,
__str__,
__subclasshook__
|
|
|
authz_file = <PathOption [authz_policy] 'authz_file'>
|
|
Inherited from object:
__class__
|
x.__init__(...) initializes x; see help(type(x)) for signature
- Overrides:
object.__init__
- (inherited documentation)
|