Stephen Moretti wrote: > On 05/12/2007, Alec Thomas <[EMAIL PROTECTED]> wrote: > >> This is due to changes to the plugin. The new behaviour is this: >> >> foo = WIKI_VIEW >> >> Will *add* this permission to foo. >> >> >> foo = !WIKI_VIEW >> >> Will *remove* this permission from foo. There is no way that I'm aware >> of to *set* a list of permissions. >>
See last paragraph. >> I personally much preferred the previous behaviour. >> >> For your example I believe you now need: >> >> [wiki:[EMAIL PROTECTED] >> @Admin = WIKI_VIEW, WIKI_CREATE, WIKI_MODIFY, WIKI_DELETE >> @Developer = WIKI_VIEW, WIKI_CREATE, WIKI_MODIFY >> * = !WIKI_VIEW, !WIKI_CREATE, !WIKI_MODIFY, !WIKI_DELETE >> >> etc. >> No, it should still work as expected. I have tested the following: ---- [groups] Admin = me,him,cboos Developer = other,cboos [wiki:[EMAIL PROTECTED] @Admin = WIKI_VIEW, WIKI_CREATE, WIKI_MODIFY, WIKI_DELETE @Developer = WIKI_VIEW, WIKI_CREATE, WIKI_MODIFY * = [wiki:*] @Admin = WIKI_ADMIN * = WIKI_VIEW ---- And when logged in as anonymous, I don't have access to e.g. the TracAdmin page, even though "anonymous" has the WIKI_VIEW permission granted by the default permission policy. In the log I see the expected output: ... [authz_policy] DEBUG: Checking WIKI_VIEW on wiki:[EMAIL PROTECTED] [authz_policy] DEBUG: wiki:[EMAIL PROTECTED] matched section wiki:[EMAIL PROTECTED] [perm] DEBUG: AuthzPolicy denies anonymous performing WIKI_VIEW on <Resource u'wiki:TracAdmin'> ... (the second line of DEBUG only appears when uncommenting the corresponding debug statement in authz_policy.py) Maybe you simply short-circuited the AuthzPolicy by listing it /after/ the DefaultPermissionPolicy and that default grants WIKI_VIEW to anonymous? I have the following in my trac.ini: [trac] permission_policies = AuthzPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy > Ah ok... Yeah I think I have to agree with you - the old way was much > better. Default is no rights, only getting the rights you give them. > Alec, how's the "default is no rights" different from not listing the DefaultPermissionPolicy in permission_policies? That way, only the permissions granted by the AuthzPolicy will be available, effectively setting a list of permissions. You only have to resort to denying permissions (e.g. !WIKI_VIEW) when you want to filter out actions on some specific resources that were granted elsewhere. -- Christian --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
