Re: [Trac] Re: Best way of using Trac for multiple customers

2019-09-18 Thread RjOllos 


On Friday, September 13, 2019 at 4:17:40 PM UTC-7, RjOllos wrote:
>
>
>
> On Fri, Sep 13, 2019 at 4:44 AM Andreas  wrote:
>
>> Hello Ryan, 
>>
>> thanks for your hint!
>> I have activated AuthzPolicy on our Trac 1.2.2 environment and the 
>> following part is working as it should:
>>
>> [wiki:testwiki@*]
>>
>> testuser = WIKI_VIEW
>>
>>
>> --> testuser can only see the "testwiki" page, nothing else
>>
>>
>> I was wondering if the realm (?) for milestone would be "milestone", but 
>> it failed:
>>
>>  
>>
>> [milestone:testmilestone@*]
>>
>> testuser = TICKET_CREATE, TICKET_MODIFY, TICKET_VIEW
>>
>>
>> The testuser can still only see that one testwiki page, but cannot 
>> view/edit tickets with milestone "testmilestone".
>>
>> I'm pretty sure that the syntax / realm for milestone is wrong. Can you 
>> help me out here?
>>
>>
>> Thank you!
>>
>>
>> Best regards,
>>
>> Andreas
>>
>
> Using realm 'milestone' will restrict access to a resource in the 
> milestone realm (/milestone).
>
> The ticket page is realm 'ticket'.
>
> To restrict tickets based on permission to view a milestone, you'll need 
> to implement a permission policy. First, restrict access to the milestone 
> using AuthzPolicy, and verify that you can view the milestone. For your 
> example, this will be /milestone/testmilestone, and testmilestone should be 
> visible on the Roadmap page.
>
> Then you need to implement IPermissionPolicy in a component, like the 
> examples described here:
> https://trac.edgewall.org/wiki/CookBook/PermissionPolicies
>
> The logic in check_permission would be something like (untested):
>
> def check_permission(self, action, username, resource, perm):
> if action == 'TICKET_VIEW' and \
> resource is not None and \
> resource.realm == 'ticket' and \
> resource.id is not None:
> try:
> ticket = Ticket(self.env, resource.id)
> except ResourceNotFound:
> pass
> else:
>if 'MILESTONE_VIEW' in req.perm('milestone', 
> ticket['milestone']):
>return True
>
> - Ryan
>


This policy is now documented in:
https://trac.edgewall.org/wiki/CookBook/PermissionPolicies#RestrictTicketsPerMilestone

- Ryan

-- 
You received this message because you are subscribed to the Google Groups "Trac 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to trac-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/trac-users/f5e16d0b-31df-4623-bb4a-a27a1802fd59%40googlegroups.com.

Re: [Trac] Re: Best way of using Trac for multiple customers

2019-09-13 Thread Ryan Ollos 
On Fri, Sep 13, 2019 at 4:44 AM Andreas  wrote:

> Hello Ryan,
>
> thanks for your hint!
> I have activated AuthzPolicy on our Trac 1.2.2 environment and the
> following part is working as it should:
>
> [wiki:testwiki@*]
>
> testuser = WIKI_VIEW
>
>
> --> testuser can only see the "testwiki" page, nothing else
>
>
> I was wondering if the realm (?) for milestone would be "milestone", but
> it failed:
>
>
>
> [milestone:testmilestone@*]
>
> testuser = TICKET_CREATE, TICKET_MODIFY, TICKET_VIEW
>
>
> The testuser can still only see that one testwiki page, but cannot
> view/edit tickets with milestone "testmilestone".
>
> I'm pretty sure that the syntax / realm for milestone is wrong. Can you
> help me out here?
>
>
> Thank you!
>
>
> Best regards,
>
> Andreas
>

Using realm 'milestone' will restrict access to a resource in the milestone
realm (/milestone).

The ticket page is realm 'ticket'.

To restrict tickets based on permission to view a milestone, you'll need to
implement a permission policy. First, restrict access to the milestone
using AuthzPolicy, and verify that you can view the milestone. For your
example, this will be /milestone/testmilestone, and testmilestone should be
visible on the Roadmap page.

Then you need to implement IPermissionPolicy in a component, like the
examples described here:
https://trac.edgewall.org/wiki/CookBook/PermissionPolicies

The logic in check_permission would be something like (untested):

def check_permission(self, action, username, resource, perm):
if action == 'TICKET_VIEW' and \
resource is not None and \
resource.realm == 'ticket' and \
resource.id is not None:
try:
ticket = Ticket(self.env, resource.id)
except ResourceNotFound:
pass
else:
   if 'MILESTONE_VIEW' in req.perm('milestone',
ticket['milestone']):
   return True

- Ryan

-- 
You received this message because you are subscribed to the Google Groups "Trac 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to trac-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/trac-users/CA%2BBGpn-Xu4tdkTk4_YobCtSB%3DRkpGRz4kLBp1P6X3yMA1X%3DPxw%40mail.gmail.com.