On Thu, Oct 1, 2009 at 4:38 PM, Peter Dulovits <[email protected]> wrote: > > On Thu, 01 Oct 2009 16:34:22 +0200, Erik Bray <[email protected]> > wrote: > >> >> On Wed, Sep 30, 2009 at 7:15 PM, Peter Dulovits >> <[email protected]> wrote: >>> >>> On Wed, 30 Sep 2009 22:49:48 +0200, Erik Bray <[email protected]> >>> wrote: >>> >>>> >>>> On Wed, Sep 30, 2009 at 10:19 AM, pamtrac <[email protected]> >>>> wrote: >>>>> >>>>> Hello, >>>>> >>>>> at first, sorry if this post is offtopic here, since I'm not a trac >>>>> developer, but only try to develop a plugin for trac and I cant find a >>>>> better place. >>>>> >>>>> I try to develop a plugin that enables trac to lookup system groups, >>>>> when trac tries to get groups of a trac user (to match them with trac >>>>> permission groups). >>>>> Unfortunately I'm not very involved in apache-python web development >>>>> within Trac. >>>>> >>>>> Still, I wrote a tiny plugin >>>>> >>>>> http://trac-hacks.org/browser/tracsysgroupsplugin/0.11/trunk/sysgroups/sysgroups.py >>>>> >>>>> #############code####### >>>>> import pwd, grp >>>>> >>>>> from trac.core import * >>>>> from trac.config import * >>>>> from trac.perm import IPermissionGroupProvider >>>>> >>>>> __all__ = ['SysGroups'] >>>>> >>>>> class SysGroups(Component): >>>>> implements(IPermissionGroupProvider) >>>>> >>>>> # IPermissionGroupProvider interface method >>>>> def get_permission_groups(self, username): >>>>> groups = [] >>>>> >>>>> for p in grp.getgrall(): >>>>> if username in p[3] : groups.append(p[0]) >>>>> >>>>> self.env.log.debug('sysgroups found for %s = %s' % >>>>> (username, >>>>> ','.join(groups))) >>>>> >>>>> return groups >>>>> #############code####### >>>>> >>>>> to accomplish lookup of systemgroups instead of default use the >>>>> trac.perm.DefaultPermissionGroupProvider. >>>>> The resulting behavior is realy strange (for me). My general basic >>>>> autentication is done by apache modules >>>>> mod-auth-pam and mod-auth-sys-groups, this works fine. I have 3 >>>>> different Tac (0.11.1) projects hosted on a >>>>> apache 2.2/linux virtual hosts ssl configuration. If I logon as a >>>>> valid pam user with valid systemgroup after a apache startup, >>>>> everything seems to work (apache auth, lookup of systemgroups, trac >>>>> gives right permissions. ). But now it comes : if I try to call the >>>>> second Trac project on the server in my webbrowser, I will be asked >>>>> vor my credentials again and basic /pam auth works fine, again. But >>>>> out of a reason, I dont understand, my sysgroups plugin doesnt work in >>>>> trac anymore. >>>>> I dont arive on the first site of the selected project, but get this >>>>> error : >>>>> >>>>> Error: Forbidden >>>>> WIKI_VIEW privileges are required to perform this operation on >>>>> WikiStart >>>>> >>>>> obviously, I havn't got no permissions. (I completly removed anonymous >>>>> and authenticated in favour of my sysgroups) >>>>> >>>>> It seems to my like a serversided problem, because doing anything of : >>>>> - restart browser / try an other browser >>>>> - try an other valid user >>>>> wont help. Only if I restart apache, I can log into any project the >>>>> fist time for one time, but changing project again will show same >>>>> behavior (for all valid users). My first idea was, that there is some >>>>> problem with permission caching within DefaultPermissionStore >>>>> component, but I cant figure it out. I use different basic realms for >>>>> all prjects and when I change to a second trac project in my >>>>> webbrowser, I get asked for my credential again, apache says "ok" but >>>>> trac doesnt seem to evaluate user group memberships in this case. >>>>> If anybody has an idea, where to start poking around, I woul be >>>>> happy ! >>>>> >>>>> Best regards >>>>> >>>>> Peter >>>> >>>> You still need to add permissions to the groups that you expect your >>>> user to belong to, regardless of how group membership is determined. >>>> So if you an 'admin' group for example, WIKI_VIEW (or any other >>>> permissions like TRAC_ADMIN) need to be assigned to that group in >>>> Trac. >>>> >>> >>> Yes, I carefully assigned all the important permissions (Actions) to >>> my trac groups. So, >>> trac-admin /var/trac/repositories/neukolln permission list >>> returns : >>> >>> svn_admins TRAC_ADMIN >>> svn_devel DOWNLOADS_VIEW >>> svn_devel TICKET_CREATE >>> svn_devel svn_neukolln_guests >>> ... >>> svn_guests TAGS_VIEW >>> svn_guests TICKET_VIEW >>> svn_guests TIMELINE_VIEW >>> svn_guests WIKI_VIEW >>> >>> The strange thing is, it works the first time I log in on a trac project >>> after >>> apache restart, but not later on, if I try to log in a second project.. >>> as >>> if something >>> gets confused in permission caching, or so. >> >> I doubt it has anything to do with the PermissionCache. It only >> cache's a user's permissions in the context of a request. How exactly >> is your Trac system set up and how is the plugin installed? >> >> Also, one small I thing I noticed which should have nothing to do with >> your actual problem, is that you have an unnecessary "from trac.config >> import *". There generally shouldn't be any reason to import * from >> that module, and you're not using anything from it anyways. >> > Thats true ! I simply reused another plugin, so this line remained, > but I will remove it, soon. > > I thought, that maybe trac/apache stores a basic-realem/ip/something > that is persistent for whole apache online time. Is trac authentication > realy session oriented ? if it is , I realy would be supprised after what > I have seen here.. I'm realy clueless :( > > my Plugin is installed in every trac project "plugin" subfolder as py egg. > The plugin can be trac-browsed at : > > http://trac-hacks.org/browser/tracsysgroupsplugin/0.11/trunk/ > > My apache conf seems to be alright, here is a snip > > <VirtualHost 192.168.1.254:443> > ServerAdmin [email protected] > ServerName svn.testdomain.inc > ServerAlias svn > SSLEngine on > #DocumentRoot /var/www/trac > > <Location /> > SetHandler mod_python > PythonHandler trac.web.modpython_frontend > PythonInterpreter main > PythonOption TracEnv "" > PythonOption PYTHON_EGG_CACHE /tmp > PythonOption TracEnvParentDir /var/trac/repositories > PythonOption TracUriRoot / > </Location> > > <Location "/neukolln"> > AuthPAM_Enabled On > AuthType Basic > AuthPAM_FallThrough off > AuthGROUP_Enabled on > AuthName "Celluloid neukolln web-trac login:" > AuthBasicAuthoritative Off > Require group svn_admins svn_neukolln_devel svn_neukolln_guests > require valid-user > AuthUserFile /dev/null > </Location> > > <Location "/ruhrpott"> > AuthPAM_Enabled On > AuthType Basic > AuthPAM_FallThrough off > AuthGROUP_Enabled on > AuthName "Celluloid ruhrpott web-trac login:" > AuthBasicAuthoritative Off > Require group svn_admins svn_ruhrpott_devel svn_ruhrpott_guests > require valid-user > AuthUserFile /dev/null > </Location> > </VirtualHost>
Do you have any other plugins installed? As far as I can tell this plugin should work, at least by itself. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
