Jesse Kempf wrote:
Hi,
Some of you may know me as the programmer who brought you such hacks as
the AuthzWebadminPlugin and WikiRBAC patch, both up on TracHacks.
Alternately, I'm the sardonic did-you-read-the-documentation person
known as thepuffy in #trac.
I've been talking with cmlenz a bit about redoing Trac's permission
system after I decided that the scope of my next project would be too
grand to leave as a TracHack.
Trac is catching on enough in hierarchically-organized environments
(read: Enterprises) that an increasing number of discussions are
occuring about the ability to restrict access to tickets and wiki pages,
and so forth. Trac doesn't provide anything more than a minimal
authorization model that gives all-or-nothing authorization.
I propose to work on the next-generation permissions and authorization
system for trac that will sit between the B1 and B2 levels set forth by
the DOD Orange Book. This will encompass all levels of Trac. Some
features I'm looking to implement are:
Mandatory Access Control (per-entity ACLs, enforced at the data access
layer)
Role-Based Access Control (RBAC)
Label-Based access control (LBAC) (confidential, critical, secret, top
secret, etc)
SecureComponents (trac.core.Components that can not be trivially
subverted by Python's lack of serious access control)
SecurityAdministrator role
Event auditing and notification
I plan on getting LBAC and SecureComponents functioning first. I have my
own subversion repository, but I'd like access to the sandbox in to make
my changes public and stay synced with Trac's main source tree.
You should perhaps first try to make a synthesis of the existing
requests already made:
* http://projects.edgewall.com/trac/ticket/834
* http://projects.edgewall.com/trac/ticket/654 (on which you commented
already)
* http://projects.edgewall.com/trac/ticket/1979
* probably others
There also has been various discussions on the Trac ML which might be of
interest.
And then, make a proposal about how you'd like to approach the problem.
-- Christian
_______________________________________________
Trac-dev mailing list
[email protected]
http://lists.edgewall.com/mailman/listinfo/trac-dev
