HeX wrote: > 1.) Combining authz file of svn access and trac access will fail since > svn won't like ANY part of the Trac specific definitions in the authz > files and will therefore break. > -> Solution: two separate authz files, one for the SVN access rules > and one for the Trac rules, this means actually duplicatiing the user > and group defintions, but see 2
This has always been the case AFAIK. Or in other words, it has never been intended that the SVN authz file and the authz file for fine-grained permissions should be merged. > 2.) AFAICT fine grained permisson access > (tracopt.perm.authz_policy.*=true) is not group aware (see #4224). In > detail I found out that only anonyous and authenicated are recognised. > All other groups in the authz file are simply ignored. This makes it > very hard to use the fine grained permissions in a proper way. That seems to be the case, yes. The authz_policy module is in need of a rewrite. > 3.) The worst thing is that Trac will obey non of the svn permissions > given by the authz file that controls the svn access. Anybody with > BROWSER_VIEW will now be able to browse the WHOLE source tree > regardless what the svn auhtz defines. In my case I had to take away > BROWSER_VIEW from all anonymous users (very irritating) just I have > some private folders in the repo. That's surprising. Did you set "[trac] authz_file" and "[trac] autz_module_name" correctly in trac.ini? Do you use multiple repositories? Are your repositories named the same in Trac and in the authz file? > The worrying thing really is that I wasn't aware of problem 3.) and > only found out by accident. Such a change should have been anounced in > BIG RED letters before the release AFAIR, there has been no change in the configuration, only in the implementation, so if it was working before, it should still be working now. Except if I broke something, of course :) > and the inability to assign > permissions to groups (this worked before via authzgroups plugin) > should have been a BLOCKER for 0.12. This has been the case forever, and nobody has stepped up to provide a fix. So if it hasn't been a blocker for previous releases, it wasn't for 0.12 either. > Maybe I've just done the configuration wrong and all the above items > can be handled (in that case I'm eager to learn how ;) ). Not all, but some of it :) -- Remy
signature.asc
Description: OpenPGP digital signature
