On Thu, 01 Oct 2009 16:34:22 +0200, Erik Bray <[email protected]> wrote:
> > On Wed, Sep 30, 2009 at 7:15 PM, Peter Dulovits > <[email protected]> wrote: >> >> On Wed, 30 Sep 2009 22:49:48 +0200, Erik Bray <[email protected]> >> wrote: >> >>> >>> On Wed, Sep 30, 2009 at 10:19 AM, pamtrac <[email protected]> >>> wrote: >>>> >>>> Hello, >>>> >>>> at first, sorry if this post is offtopic here, since I'm not a trac >>>> developer, but only try to develop a plugin for trac and I cant find a >>>> better place. >>>> >>>> I try to develop a plugin that enables trac to lookup system groups, >>>> when trac tries to get groups of a trac user (to match them with trac >>>> permission groups). >>>> Unfortunately I'm not very involved in apache-python web development >>>> within Trac. >>>> >>>> Still, I wrote a tiny plugin >>>> >>>> http://trac-hacks.org/browser/tracsysgroupsplugin/0.11/trunk/sysgroups/sysgroups.py >>>> >>>> #############code####### >>>> import pwd, grp >>>> >>>> from trac.core import * >>>> from trac.config import * >>>> from trac.perm import IPermissionGroupProvider >>>> >>>> __all__ = ['SysGroups'] >>>> >>>> class SysGroups(Component): >>>> implements(IPermissionGroupProvider) >>>> >>>> # IPermissionGroupProvider interface method >>>> def get_permission_groups(self, username): >>>> groups = [] >>>> >>>> for p in grp.getgrall(): >>>> if username in p[3] : groups.append(p[0]) >>>> >>>> self.env.log.debug('sysgroups found for %s = %s' % >>>> (username, >>>> ','.join(groups))) >>>> >>>> return groups >>>> #############code####### >>>> >>>> to accomplish lookup of systemgroups instead of default use the >>>> trac.perm.DefaultPermissionGroupProvider. >>>> The resulting behavior is realy strange (for me). My general basic >>>> autentication is done by apache modules >>>> mod-auth-pam and mod-auth-sys-groups, this works fine. I have 3 >>>> different Tac (0.11.1) projects hosted on a >>>> apache 2.2/linux virtual hosts ssl configuration. If I logon as a >>>> valid pam user with valid systemgroup after a apache startup, >>>> everything seems to work (apache auth, lookup of systemgroups, trac >>>> gives right permissions. ). But now it comes : if I try to call the >>>> second Trac project on the server in my webbrowser, I will be asked >>>> vor my credentials again and basic /pam auth works fine, again. But >>>> out of a reason, I dont understand, my sysgroups plugin doesnt work in >>>> trac anymore. >>>> I dont arive on the first site of the selected project, but get this >>>> error : >>>> >>>> Error: Forbidden >>>> WIKI_VIEW privileges are required to perform this operation on >>>> WikiStart >>>> >>>> obviously, I havn't got no permissions. (I completly removed anonymous >>>> and authenticated in favour of my sysgroups) >>>> >>>> It seems to my like a serversided problem, because doing anything of : >>>> - restart browser / try an other browser >>>> - try an other valid user >>>> wont help. Only if I restart apache, I can log into any project the >>>> fist time for one time, but changing project again will show same >>>> behavior (for all valid users). My first idea was, that there is some >>>> problem with permission caching within DefaultPermissionStore >>>> component, but I cant figure it out. I use different basic realms for >>>> all prjects and when I change to a second trac project in my >>>> webbrowser, I get asked for my credential again, apache says "ok" but >>>> trac doesnt seem to evaluate user group memberships in this case. >>>> If anybody has an idea, where to start poking around, I woul be >>>> happy ! >>>> >>>> Best regards >>>> >>>> Peter >>> >>> You still need to add permissions to the groups that you expect your >>> user to belong to, regardless of how group membership is determined. >>> So if you an 'admin' group for example, WIKI_VIEW (or any other >>> permissions like TRAC_ADMIN) need to be assigned to that group in >>> Trac. >>> >> >> Yes, I carefully assigned all the important permissions (Actions) to >> my trac groups. So, >> trac-admin /var/trac/repositories/neukolln permission list >> returns : >> >> svn_admins TRAC_ADMIN >> svn_devel DOWNLOADS_VIEW >> svn_devel TICKET_CREATE >> svn_devel svn_neukolln_guests >> ... >> svn_guests TAGS_VIEW >> svn_guests TICKET_VIEW >> svn_guests TIMELINE_VIEW >> svn_guests WIKI_VIEW >> >> The strange thing is, it works the first time I log in on a trac project >> after >> apache restart, but not later on, if I try to log in a second project.. >> as >> if something >> gets confused in permission caching, or so. > > I doubt it has anything to do with the PermissionCache. It only > cache's a user's permissions in the context of a request. How exactly > is your Trac system set up and how is the plugin installed? > > Also, one small I thing I noticed which should have nothing to do with > your actual problem, is that you have an unnecessary "from trac.config > import *". There generally shouldn't be any reason to import * from > that module, and you're not using anything from it anyways. > Thats true ! I simply reused another plugin, so this line remained, but I will remove it, soon. I thought, that maybe trac/apache stores a basic-realem/ip/something that is persistent for whole apache online time. Is trac authentication realy session oriented ? if it is , I realy would be supprised after what I have seen here.. I'm realy clueless :( my Plugin is installed in every trac project "plugin" subfolder as py egg. The plugin can be trac-browsed at : http://trac-hacks.org/browser/tracsysgroupsplugin/0.11/trunk/ My apache conf seems to be alright, here is a snip <VirtualHost 192.168.1.254:443> ServerAdmin [email protected] ServerName svn.testdomain.inc ServerAlias svn SSLEngine on #DocumentRoot /var/www/trac <Location /> SetHandler mod_python PythonHandler trac.web.modpython_frontend PythonInterpreter main PythonOption TracEnv "" PythonOption PYTHON_EGG_CACHE /tmp PythonOption TracEnvParentDir /var/trac/repositories PythonOption TracUriRoot / </Location> <Location "/neukolln"> AuthPAM_Enabled On AuthType Basic AuthPAM_FallThrough off AuthGROUP_Enabled on AuthName "Celluloid neukolln web-trac login:" AuthBasicAuthoritative Off Require group svn_admins svn_neukolln_devel svn_neukolln_guests require valid-user AuthUserFile /dev/null </Location> <Location "/ruhrpott"> AuthPAM_Enabled On AuthType Basic AuthPAM_FallThrough off AuthGROUP_Enabled on AuthName "Celluloid ruhrpott web-trac login:" AuthBasicAuthoritative Off Require group svn_admins svn_ruhrpott_devel svn_ruhrpott_guests require valid-user AuthUserFile /dev/null </Location> </VirtualHost> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
