Hi, I think the first phase of the security branch is ready for integration into trunk. Some documentation is here:
http://trac.edgewall.org/wiki/TracDev/SecurityBranch Diff against last merged trunk (5420): http://trac.edgewall.org/changeset?new=5421&new_path=sandbox%2Fpycon%2Fsecurity&old=5420&old_path=trunk A brief overview: - Add an interface (IPermissionPolicy) for checking a users permission to access Trac resources. - Convert the current permission system to a plugin (DefaultPermissionPolicy). - Modify PermissionCache to cache the fine-grained policy check results (still needs some cleanup). - Convert each module to use fine-grained permissions - API is backwards compatible. - Changes are minimal and largely localised to the permission system. - Security policies can be "stacked". - Adheres to the existing system of having an opt-in security policy. What this means is that the security policy is enforced in the Trac user interface. - Does *NOT* introduce a method of mapping Trac objects (eg. WikiPage object) to contexts (and thereby using resources directly with the permission system). This would entail more intrusive changes, that I wanted to avoid. If such a mechanism is introduced later, it can easily be added. Note: So far only the Wiki module has been converted to use the new system. I'll continue converting modules once the new system is in trunk. A sample policy that uses an authz-style configuration is available here: http://trac.edgewall.org/browser/sandbox/pycon/security/sample-plugins/authz_policy.py Example configuration file is here: http://swapoff.org/files/authzpolicy.conf Note: The plugin still has some issues with rule ordering that need to be worked out. Example code using the new system: # Backwards compatibility 'WIKI_VIEW' in perm # Check for permission in "context" (resource identifier) 'WIKI_VIEW' in perm(context) # Check for permission in a particular "realm" 'WIKI_VIEW' in perm('wiki') # Check for permission on a particular object in a realm 'WIKI_VIEW' in perm('wiki', 'WikiStart') # Check for permission on a particular version of an object in a realm 'WIKI_VIEW' in perm('wiki', 'WikiStart', 31) Feedback welcome. Alec -- Evolution: Taking care of those too stupid to take care of themselves. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
