Ah yes, the spam continues unabated.
Here's a permission policy based on tags. Permissions are specified by
adding special tags to pages or tickets in the form <user>:[-]<perm>
eg. anonymous:-view, athomas:admin
How cool is that?!?!?!
from trac.core import *
from trac.perm import IPermissionPolicy
class TagPolicy(Component):
""" Security policy based on tags. """
implements(IPermissionPolicy)
def check_permission(self, username, action, resource):
if resource is None: return None
if action.startswith('WIKI_') or action.startswith('TICKET_'):
from tractags.api import TagEngine
tagspace, permission = action.lower().split('_')
tags = TagEngine(self.env).get_tags([resource],
tagspaces=[tagspace])
ptag = ':'.join((username, permission))
if ptag in tags:
return True
nptag = ':-'.join((username, permission))
if nptag in tags:
return False
def check_some_permission(self, username, action):
return None
Obviously, if tags are modifiable by anybody with WIKI_MODIFY as they
are at the moment, any user will be able to escalate to WIKI_ADMIN for
that page, but ... still cool :)
I'd probably have to add a TAG_MODIFY permission and explicitly disallow
addition of those tags unless the user has WIKI_ADMIN or something.
On Sun, Apr 16, 2006 at 11:44:13PM +1000, Alec Thomas wrote:
> Okay, I've changed tack yet again after some discussion with Noah on IRC.
>
> http://swapoff.org/files/new-perms.diff
> http://swapoff.org/files/new-perms-core.diff
>
> This patch is much less intrusive, and cleaner. The permission cache
> methods are thus:
>
> def has_permission(self, action, resource=None):
> def has_some_permission(self, action):
> def assert_permission(self, action, resource=None):
> def assert_some_permission(self, action):
> def permissions(self): # TODO Remove the need for this. Only used in
> templates I believe?
>
> All the resource ACL cruft has been removed. This can now be implemented
> by plugins implementing the newly added IPermissionPolicy interface:
>
> class IPermissionPolicy(Interface):
> """ An extension point interface for enforcing permission policies.
> """
>
> def check_permission(username, action, resource):
> """ Does the user have permission to perform the given action on
> the
> resource? Must return True for allow, False for deny, or None if
> indifferent. `resource` can be None, indicating that action can be
> applied to any resource. """
>
> def check_some_permission(username, action):
> """ Determine whether the user has any permission to perform
> action at
> all. Same return semantics as check_permission() """
>
> The existing IPermissionStore system has been re-implemented on top of
> this interface.
>
> Here's an example IPermissionPolicy implementation that blocks access to
> ticket 666, for obvious reasons:
>
> from trac.core import *
> from trac.perm import IPermissionPolicy
>
> class Deny666(Component):
> implements(IPermissionPolicy)
>
> def check_permission(self, username, action, resource):
> self.env.log.debug("This is the Devil's work")
> if resource is not None and action.startswith('TICKET_') and \
> int(resource) == 666:
> return False
>
> def check_some_permission(self, username, action):
> pass
>
> And the configuration required to ensure the policies are applied in
> the correct order:
>
> [interfaces]
> ipermissionpolicy = Deny666,DefaultPermissionPolicy
>
> --
> Evolution: Taking care of those too stupid to take care of themselves.
> _______________________________________________
> Trac-dev mailing list
> [email protected]
> http://lists.edgewall.com/mailman/listinfo/trac-dev
>
--
Evolution: Taking care of those too stupid to take care of themselves.
_______________________________________________
Trac-dev mailing list
[email protected]
http://lists.edgewall.com/mailman/listinfo/trac-dev
