On Wed, Sep 30, 2009 at 7:15 PM, Peter Dulovits <[email protected]> wrote: > > On Wed, 30 Sep 2009 22:49:48 +0200, Erik Bray <[email protected]> > wrote: > >> >> On Wed, Sep 30, 2009 at 10:19 AM, pamtrac <[email protected]> >> wrote: >>> >>> Hello, >>> >>> at first, sorry if this post is offtopic here, since I'm not a trac >>> developer, but only try to develop a plugin for trac and I cant find a >>> better place. >>> >>> I try to develop a plugin that enables trac to lookup system groups, >>> when trac tries to get groups of a trac user (to match them with trac >>> permission groups). >>> Unfortunately I'm not very involved in apache-python web development >>> within Trac. >>> >>> Still, I wrote a tiny plugin >>> >>> http://trac-hacks.org/browser/tracsysgroupsplugin/0.11/trunk/sysgroups/sysgroups.py >>> >>> #############code####### >>> import pwd, grp >>> >>> from trac.core import * >>> from trac.config import * >>> from trac.perm import IPermissionGroupProvider >>> >>> __all__ = ['SysGroups'] >>> >>> class SysGroups(Component): >>> implements(IPermissionGroupProvider) >>> >>> # IPermissionGroupProvider interface method >>> def get_permission_groups(self, username): >>> groups = [] >>> >>> for p in grp.getgrall(): >>> if username in p[3] : groups.append(p[0]) >>> >>> self.env.log.debug('sysgroups found for %s = %s' % >>> (username, >>> ','.join(groups))) >>> >>> return groups >>> #############code####### >>> >>> to accomplish lookup of systemgroups instead of default use the >>> trac.perm.DefaultPermissionGroupProvider. >>> The resulting behavior is realy strange (for me). My general basic >>> autentication is done by apache modules >>> mod-auth-pam and mod-auth-sys-groups, this works fine. I have 3 >>> different Tac (0.11.1) projects hosted on a >>> apache 2.2/linux virtual hosts ssl configuration. If I logon as a >>> valid pam user with valid systemgroup after a apache startup, >>> everything seems to work (apache auth, lookup of systemgroups, trac >>> gives right permissions. ). But now it comes : if I try to call the >>> second Trac project on the server in my webbrowser, I will be asked >>> vor my credentials again and basic /pam auth works fine, again. But >>> out of a reason, I dont understand, my sysgroups plugin doesnt work in >>> trac anymore. >>> I dont arive on the first site of the selected project, but get this >>> error : >>> >>> Error: Forbidden >>> WIKI_VIEW privileges are required to perform this operation on >>> WikiStart >>> >>> obviously, I havn't got no permissions. (I completly removed anonymous >>> and authenticated in favour of my sysgroups) >>> >>> It seems to my like a serversided problem, because doing anything of : >>> - restart browser / try an other browser >>> - try an other valid user >>> wont help. Only if I restart apache, I can log into any project the >>> fist time for one time, but changing project again will show same >>> behavior (for all valid users). My first idea was, that there is some >>> problem with permission caching within DefaultPermissionStore >>> component, but I cant figure it out. I use different basic realms for >>> all prjects and when I change to a second trac project in my >>> webbrowser, I get asked for my credential again, apache says "ok" but >>> trac doesnt seem to evaluate user group memberships in this case. >>> If anybody has an idea, where to start poking around, I woul be >>> happy ! >>> >>> Best regards >>> >>> Peter >> >> You still need to add permissions to the groups that you expect your >> user to belong to, regardless of how group membership is determined. >> So if you an 'admin' group for example, WIKI_VIEW (or any other >> permissions like TRAC_ADMIN) need to be assigned to that group in >> Trac. >> > > Yes, I carefully assigned all the important permissions (Actions) to > my trac groups. So, > trac-admin /var/trac/repositories/neukolln permission list > returns : > > svn_admins TRAC_ADMIN > svn_devel DOWNLOADS_VIEW > svn_devel TICKET_CREATE > svn_devel svn_neukolln_guests > ... > svn_guests TAGS_VIEW > svn_guests TICKET_VIEW > svn_guests TIMELINE_VIEW > svn_guests WIKI_VIEW > > The strange thing is, it works the first time I log in on a trac project > after > apache restart, but not later on, if I try to log in a second project.. as > if something > gets confused in permission caching, or so.
I doubt it has anything to do with the PermissionCache. It only cache's a user's permissions in the context of a request. How exactly is your Trac system set up and how is the plugin installed? Also, one small I thing I noticed which should have nothing to do with your actual problem, is that you have an unnecessary "from trac.config import *". There generally shouldn't be any reason to import * from that module, and you're not using anything from it anyways. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
