Hello all, I have a 99% solution to my original query which I'm outlining below for interest/comment (including a potential bug in authzpolicy.conf? see attempted [wiki:*] rule below)
On Nov 19, 8:03 pm, "[EMAIL PROTECTED] seaward" <[EMAIL PROTECTED]> wrote: > On Nov 19, 6:32 pm, "[EMAIL PROTECTED] seaward" <[EMAIL PROTECTED]> wrote: > > > I have installed authz_policy on 0.11dev-r6160 as > > perhttp://trac.edgewall.org/wiki/TracDev/SecurityBranch#Testingthefeatures > > using revision 6139, not the update recently posted to trac-dev. > > I have updated to authz_policy revision 6182 which was submitted today ... > > The idea is that > > 1) Anonymous users can see WikiStart and nothing else. > > 2) Customers will only get access to wiki pages that begin with their > > name, e.g. Acme users will only see Acme, Acme/Documentation, Acme/ > > Reports, etc. > > 3) Developers can see and modify all wiki pages. Still using revision 6182 I have made a temporary solution for my use- case. It isn't perfect, but will do for now. I did this by giving the customer group the WIKI_VIEW permission and the developer group the WIKI_ADMIN permission via the Trac web admin interface. Then I used the authzpolicy.conf file (see below) to deny WIKI_VIEW on particular pages for particular groups. Requirements 1 and 3 are working, but customers still get access to any page not listed in the authzpolicy.conf. For example, an Acme user can't see an Apogee* page, because this is a rule, but could see the page Spam/Eggs because Spam* is not defined. I tried adding a final catchall rule, but this denies access to ALL wiki pages for customer users. [EMAIL PROTECTED] 1) Attempted catchall rule (should appear after all other authzpolicy.conf rules and catch any pages not already filtered): [wiki:*] @admin = WIKI_ADMIN @developer = WIKI_ADMIN * = !WIKI_VIEW 2) authzpolicy.conf [groups] admin = alice, bob developer = alice, bob, claire, damon, ethel, fred customer = acme1, acme2, apogee1, sierra1, sierra2, sierra3 acme = acme1, acme2, alice, bob apogee = apogee1, claire, ethel, fred sierra = sierra1, sierra2, sierra3, alice, damon # everyone can see the WikiStart page, even before logging in # (in fact, the /wiki/WikiStart URL will not work if you are not logged in, # but visiting the Trac front page will display the WikiStart content) [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN anonymous = WIKI_VIEW * = WIKI_VIEW # developers can see everything, group members are restricted to their # group pages only (non-group users have their WIKI_VIEW privilege removed) [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN @acme = WIKI_VIEW * = !WIKI_VIEW [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN @apogee = WIKI_VIEW * = !WIKI_VIEW [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN @sierra = WIKI_VIEW * = !WIKI_VIEW # everyone can access the Reference/* pages # (in the temporary setup they have the WIKI_VIEW privilege anyway, # this is just to make it explicit) [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN @customer = WIKI_VIEW * = !WIKI_VIEW # only developers can access Private/* pages [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN * = !WIKI_VIEW # there is no generic [wiki:*] command that works, # so the following pages are explicitly protected # (i.e. the same as Private/* pages) [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN * = !WIKI_VIEW [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN * = !WIKI_VIEW [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN * = !WIKI_VIEW [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN * = !WIKI_VIEW [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN * = !WIKI_VIEW [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN * = !WIKI_VIEW [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN * = !WIKI_VIEW [wiki:[EMAIL PROTECTED] @admin = WIKI_ADMIN @developer = WIKI_ADMIN * = !WIKI_VIEW --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
