Re: [Trac-dev] Generic per-object permission patch

Sat, 15 Apr 2006 08:41:58 -0700 

(If you're wondering why I'm spamming so many mails, it's because I'm on
call for the four day weekend :( )

So, anyway. I've uploaded two new patches:

    http://swapoff.org/files/new-perms.diff
    http://swapoff.org/files/new-perms-core.diff

The latter is just the changes to trac-admin and perm.py, while the
former is all modules (hopefully) modified to use the new permission
system. To be specific, I didn't modify any of versioncontrol, as the
authz stuff takes care of that. That being said, VC IPermissionRequester
could be configured to use authz as its backend, and remove all the
existing authz checks. Maybe.

I've added two new permission commands:

    permission grant <user> <action> <resource> [<resource>] [...]   -- Grant 
the user permission to perform action on a resource
    permission revoke <user> <action> <resource> [<resource>] [...]  -- Revoke 
users permission to perform action on a resource  

The order in which resources are matched is now concretely defined:

    Resources are ordered by ''not'' containing wildcards, then by denial,
    then finally by value.

I added an optional method to IPermissionRequester:

    def match_resource_acl(action, resource, resource_acl):
        """ Determine whether the resource matches the given resource ACL. """

So, for example, the TICKET_* IPermissionRequester uses this to allow
ticket ACL's with ranges: <=N, >=N, <N, >N and N-M.

Some example ACL's:

    User       Action            Resources                                      
                                
    
------------------------------------------------------------------------------------------------------------
    anonymous  TICKET_VIEW       100-105 300-500 >=2900                         
                                
    anonymous  MILESTONE_VIEW    0.9.*                                          
                                
    anonymous  REPORT_VIEW       1 2 3 4                                        
                                
    anonymous  WIKI_MODIFY       SandBox                                        
                                
    anonymous  WIKI_VIEW         -TracAdmin HowToContribute RecentChanges 
SandBox TitleIndex WikiFormatting WikiStart Trac*
    anonymous  CONFIG_VIEW       plugins

Without belabouring the obvious, this only allows access to milestones
matching 0.9.*, reports 1 through 4 and tickets in the ranges given, and
the plugins config page.

The WIKI_VIEW rules show the ACL ordering in effect.

-- 
Evolution: Taking care of those too stupid to take care of themselves.
_______________________________________________
Trac-dev mailing list
[email protected]
http://lists.edgewall.com/mailman/listinfo/trac-dev

Reply via email to