On Wed, 30 Sep 2009 22:49:48 +0200, Erik Bray <[email protected]> wrote:
> > On Wed, Sep 30, 2009 at 10:19 AM, pamtrac <[email protected]> > wrote: >> >> Hello, >> >> at first, sorry if this post is offtopic here, since I'm not a trac >> developer, but only try to develop a plugin for trac and I cant find a >> better place. >> >> I try to develop a plugin that enables trac to lookup system groups, >> when trac tries to get groups of a trac user (to match them with trac >> permission groups). >> Unfortunately I'm not very involved in apache-python web development >> within Trac. >> >> Still, I wrote a tiny plugin >> >> http://trac-hacks.org/browser/tracsysgroupsplugin/0.11/trunk/sysgroups/sysgroups.py >> >> #############code####### >> import pwd, grp >> >> from trac.core import * >> from trac.config import * >> from trac.perm import IPermissionGroupProvider >> >> __all__ = ['SysGroups'] >> >> class SysGroups(Component): >> implements(IPermissionGroupProvider) >> >> # IPermissionGroupProvider interface method >> def get_permission_groups(self, username): >> groups = [] >> >> for p in grp.getgrall(): >> if username in p[3] : groups.append(p[0]) >> >> self.env.log.debug('sysgroups found for %s = %s' % >> (username, >> ','.join(groups))) >> >> return groups >> #############code####### >> >> to accomplish lookup of systemgroups instead of default use the >> trac.perm.DefaultPermissionGroupProvider. >> The resulting behavior is realy strange (for me). My general basic >> autentication is done by apache modules >> mod-auth-pam and mod-auth-sys-groups, this works fine. I have 3 >> different Tac (0.11.1) projects hosted on a >> apache 2.2/linux virtual hosts ssl configuration. If I logon as a >> valid pam user with valid systemgroup after a apache startup, >> everything seems to work (apache auth, lookup of systemgroups, trac >> gives right permissions. ). But now it comes : if I try to call the >> second Trac project on the server in my webbrowser, I will be asked >> vor my credentials again and basic /pam auth works fine, again. But >> out of a reason, I dont understand, my sysgroups plugin doesnt work in >> trac anymore. >> I dont arive on the first site of the selected project, but get this >> error : >> >> Error: Forbidden >> WIKI_VIEW privileges are required to perform this operation on >> WikiStart >> >> obviously, I havn't got no permissions. (I completly removed anonymous >> and authenticated in favour of my sysgroups) >> >> It seems to my like a serversided problem, because doing anything of : >> - restart browser / try an other browser >> - try an other valid user >> wont help. Only if I restart apache, I can log into any project the >> fist time for one time, but changing project again will show same >> behavior (for all valid users). My first idea was, that there is some >> problem with permission caching within DefaultPermissionStore >> component, but I cant figure it out. I use different basic realms for >> all prjects and when I change to a second trac project in my >> webbrowser, I get asked for my credential again, apache says "ok" but >> trac doesnt seem to evaluate user group memberships in this case. >> If anybody has an idea, where to start poking around, I woul be >> happy ! >> >> Best regards >> >> Peter > > You still need to add permissions to the groups that you expect your > user to belong to, regardless of how group membership is determined. > So if you an 'admin' group for example, WIKI_VIEW (or any other > permissions like TRAC_ADMIN) need to be assigned to that group in > Trac. > Yes, I carefully assigned all the important permissions (Actions) to my trac groups. So, trac-admin /var/trac/repositories/neukolln permission list returns : svn_admins TRAC_ADMIN svn_devel DOWNLOADS_VIEW svn_devel TICKET_CREATE svn_devel svn_neukolln_guests ... svn_guests TAGS_VIEW svn_guests TICKET_VIEW svn_guests TIMELINE_VIEW svn_guests WIKI_VIEW The strange thing is, it works the first time I log in on a trac project after apache restart, but not later on, if I try to log in a second project.. as if something gets confused in permission caching, or so. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
