On Wed, Sep 30, 2009 at 10:19 AM, pamtrac <[email protected]> wrote: > > Hello, > > at first, sorry if this post is offtopic here, since I'm not a trac > developer, but only try to develop a plugin for trac and I cant find a > better place. > > I try to develop a plugin that enables trac to lookup system groups, > when trac tries to get groups of a trac user (to match them with trac > permission groups). > Unfortunately I'm not very involved in apache-python web development > within Trac. > > Still, I wrote a tiny plugin > > http://trac-hacks.org/browser/tracsysgroupsplugin/0.11/trunk/sysgroups/sysgroups.py > > #############code####### > import pwd, grp > > from trac.core import * > from trac.config import * > from trac.perm import IPermissionGroupProvider > > __all__ = ['SysGroups'] > > class SysGroups(Component): > implements(IPermissionGroupProvider) > > # IPermissionGroupProvider interface method > def get_permission_groups(self, username): > groups = [] > > for p in grp.getgrall(): > if username in p[3] : groups.append(p[0]) > > self.env.log.debug('sysgroups found for %s = %s' % (username, > ','.join(groups))) > > return groups > #############code####### > > to accomplish lookup of systemgroups instead of default use the > trac.perm.DefaultPermissionGroupProvider. > The resulting behavior is realy strange (for me). My general basic > autentication is done by apache modules > mod-auth-pam and mod-auth-sys-groups, this works fine. I have 3 > different Tac (0.11.1) projects hosted on a > apache 2.2/linux virtual hosts ssl configuration. If I logon as a > valid pam user with valid systemgroup after a apache startup, > everything seems to work (apache auth, lookup of systemgroups, trac > gives right permissions. ). But now it comes : if I try to call the > second Trac project on the server in my webbrowser, I will be asked > vor my credentials again and basic /pam auth works fine, again. But > out of a reason, I dont understand, my sysgroups plugin doesnt work in > trac anymore. > I dont arive on the first site of the selected project, but get this > error : > > Error: Forbidden > WIKI_VIEW privileges are required to perform this operation on > WikiStart > > obviously, I havn't got no permissions. (I completly removed anonymous > and authenticated in favour of my sysgroups) > > It seems to my like a serversided problem, because doing anything of : > - restart browser / try an other browser > - try an other valid user > wont help. Only if I restart apache, I can log into any project the > fist time for one time, but changing project again will show same > behavior (for all valid users). My first idea was, that there is some > problem with permission caching within DefaultPermissionStore > component, but I cant figure it out. I use different basic realms for > all prjects and when I change to a second trac project in my > webbrowser, I get asked for my credential again, apache says "ok" but > trac doesnt seem to evaluate user group memberships in this case. > If anybody has an idea, where to start poking around, I woul be > happy ! > > Best regards > > Peter
You still need to add permissions to the groups that you expect your user to belong to, regardless of how group membership is determined. So if you an 'admin' group for example, WIKI_VIEW (or any other permissions like TRAC_ADMIN) need to be assigned to that group in Trac. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
