close
Warning:
Can't synchronize with repository "(default)" (The repository directory has changed, you should resynchronize the repository with: trac-admin $ENV repository resync '(default)'). Look in the Trac log for more information.
- Timestamp:
-
2021-07-11T14:17:48-07:00 (3 years ago)
- Author:
-
trac
- Comment:
-
--
Legend:
- Unmodified
- Added
- Removed
- Modified
-
v4
|
v5
|
|
11 | 11 | == Permission Policies |
12 | 12 | |
13 | | A great diversity of permission policies can be implemented and Trac comes with a few examples. |
| 13 | A great diversity of permission policies can be implemented and Trac comes with a few examples. |
14 | 14 | |
15 | 15 | The active policies are determined by a [TracIni#trac-permission_policies-option configuration setting]: |
… |
… |
|
29 | 29 | |
30 | 30 | Among the optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See |
31 | | [trac:source:branches/1.4-stable/tracopt/perm/authz_policy.py authz_policy.py] for details. |
| 31 | [trac:source:branches/1.4-stable/tracopt/perm/authz_policy.py authz_policy.py] for details. |
32 | 32 | |
33 | 33 | Another permission policy [#AuthzSourcePolicy], uses the [http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html path-based authorization] defined by Subversion to enforce permissions on the version control system. |
… |
… |
|
94 | 94 | * Sections are checked against the current Trac resource descriptor '''IN ORDER''' of appearance in the configuration file. '''ORDER IS CRITICAL'''. |
95 | 95 | |
96 | | * Once a section matches, the current username is matched against the keys (usernames) of the section, '''IN ORDER'''. |
97 | | * If a key (username) is prefixed with a `@`, it is treated as a group. |
| 96 | * Once a section matches, the current username is matched against the keys (usernames) of the section, '''IN ORDER'''. |
| 97 | * If a key (username) is prefixed with a `@`, it is treated as a group. |
98 | 98 | * If a value (permission) is prefixed with a `!`, the permission is denied rather than granted. |
99 | 99 | |
… |
… |
|
118 | 118 | }}} |
119 | 119 | |
120 | | Then: |
| 120 | Then: |
121 | 121 | * All versions of WikiStart will be viewable by everybody, including anonymous |
122 | 122 | * !PrivatePage will be viewable only by john |
… |
… |
|
172 | 172 | john = BROWSER_VIEW, FILE_VIEW |
173 | 173 | |
174 | | # John has BROWSER_VIEW and FILE_VIEW access to all revisions of 'somefile' at trunk/src/some/location only |
| 174 | # John has BROWSER_VIEW and FILE_VIEW access to all revisions of 'somefile' at trunk/src/some/location only |
175 | 175 | [repository:test_repo@*/source:trunk/src/some/location/somefile@*] |
176 | 176 | john = BROWSER_VIEW, FILE_VIEW |
… |
… |
|
208 | 208 | === !AuthzSourcePolicy (`mod_authz_svn`-like permission policy) #AuthzSourcePolicy |
209 | 209 | |
210 | | `AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's `mod_authz_svn`. |
| 210 | `AuthzSourcePolicy` can be used for restricting access to the repository. Granular permission control needs a definition file, which is the one used by Subversion's `mod_authz_svn`. |
211 | 211 | More information about this file format and about its usage in Subversion is available in the [http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html Path-Based Authorization] section in the Server Configuration chapter of the svn book. |
212 | 212 | |
… |
… |
|
251 | 251 | ... |
252 | 252 | [repositories] |
253 | | somemodule.dir = /srv/active/svn/somemodule |
| 253 | somemodule.dir = /srv/active/svn/somemodule |
254 | 254 | }}} |
255 | 255 | |
256 | 256 | where the svn access file, {{{/path/to/svnaccessfile}}}, contains entries such as {{{[somemodule:/some/path]}}}. |
257 | 257 | |
258 | | '''Note:''' Usernames inside the Authz file __must__ be the same as those used inside trac. |
| 258 | '''Note:''' Usernames inside the Authz file __must__ be the same as those used inside trac. |
259 | 259 | |
260 | 260 | Make sure you have ''!AuthzSourcePolicy'' included in the permission_policies list in trac.ini, otherwise the authz permissions file will be ignored. |
… |
… |
|
336 | 336 | ---- |
337 | 337 | See also: TracPermissions, |
338 | | [http://trac-hacks.org/wiki/FineGrainedPageAuthzEditorPlugin FineGrainedPageAuthzEditorPlugin] for a simple editor. |
| 338 | [https://trac-hacks.org/wiki/FineGrainedPageAuthzEditorPlugin FineGrainedPageAuthzEditorPlugin] for a simple editor. |