[Trac-dev] Generic per-object permission patch

Alec Thomas Fri, 14 Apr 2006 15:11:48 -0700

Hi,

I've been quite bored this weekend, and I've long wanted to see
something like this in Trac.


This patch [1] simply adds an extra facet to permissions: the resource
the permission applies to. By default there is a wildcard (*) resource,
meaning the permission applies to all resources. A resource can be
prefixed with a hyphen to explicitly deny an action on that resource.

The policy is this: from most to least explicit, try deny first, then
allow. A '*' can be used at the end of a resource to perform wildcard
matching.

So permissions of "WIKI_VIEW:Sand*,-San*,*" will allow access to all pages
including those starting with "Sand", but denying those starting with
"San".

Here's how to see if the user has WIKI_VIEW permissions for a particular
page:

    if req.perm.has_permission('WIKI_VIEW', name): ...

And to see if the user has some form of WIKI_VIEW permissions:

    if req.perm.has_some_permission('WIKI_VIEW'): ...

(useful for the case where you wish to hide an item of the user does not
have a permission).

There's still a fair bit of work to do, obviously, but I'd like to get
feedback on whether this approach looks appropriate.

If you want to try the patch you'll need to alter your permission table,
adding a new columnn 'resource'.

Alec

[1] http://swapoff.org/files/new-perms.diff

Here's what "trac-admin <env> permission list" looks like:

User       Action            Resources                                          
                            
------------------------------------------------------------------------------------------------------------
anonymous  BROWSER_VIEW      *                                                  
                            
anonymous  CHANGESET_VIEW    *                                                  
                            
anonymous  FILE_VIEW         *                                                  
                            
anonymous  LOG_VIEW          *                                                  
                            
anonymous  MILESTONE_VIEW    *                                                  
                            
anonymous  REPORT_VIEW       *                                                  
                            
anonymous  ROADMAP_VIEW      *                                                  
                            
anonymous  SEARCH_VIEW       *                                                  
                            
anonymous  TICKET_CREATE     *                                                  
                            
anonymous  TICKET_MODIFY     *                                                  
                            
anonymous  TICKET_VIEW       *                                                  
                            
anonymous  TIMELINE_VIEW     *                                                  
                            
anonymous  WIKI_MODIFY       SandBox                                            
                            
anonymous  WIKI_VIEW         
HowToContribute,RecentChanges,SandBox,TitleIndex,Trac*,WikiFormatting,WikiStart

-- 
Evolution: Taking care of those too stupid to take care of themselves.
_______________________________________________
Trac-dev mailing list
[email protected]
http://lists.edgewall.com/mailman/listinfo/trac-dev

[Trac-dev] Generic per-object permission patch

Reply via email to