I'm planning on merging this on the weekend. Speak up, or forever hold your peace!
On 5/20/07, Alec Thomas <[EMAIL PROTECTED]> wrote: > Hi, > > I think the first phase of the security branch is ready for integration into > trunk. Some documentation is here: > > http://trac.edgewall.org/wiki/TracDev/SecurityBranch > > Diff against last merged trunk (5420): > > > http://trac.edgewall.org/changeset?new=5421&new_path=sandbox%2Fpycon%2Fsecurity&old=5420&old_path=trunk > > A brief overview: > > - Add an interface (IPermissionPolicy) for checking a users permission to > access Trac resources. > - Convert the current permission system to a plugin > (DefaultPermissionPolicy). > - Modify PermissionCache to cache the fine-grained policy check results > (still needs some cleanup). > - Convert each module to use fine-grained permissions > - API is backwards compatible. > - Changes are minimal and largely localised to the permission system. > - Security policies can be "stacked". > - Adheres to the existing system of having an opt-in security policy. What > this means is that the security policy is enforced in the Trac user > interface. > - Does *NOT* introduce a method of mapping Trac objects (eg. WikiPage > object) > to contexts (and thereby using resources directly with the permission > system). This would entail more intrusive changes, that I wanted to avoid. > If such a mechanism is introduced later, it can easily be added. > > Note: So far only the Wiki module has been converted to use the new system. > I'll continue converting modules once the new system is in trunk. > > A sample policy that uses an authz-style configuration is available here: > > > http://trac.edgewall.org/browser/sandbox/pycon/security/sample-plugins/authz_policy.py > > Example configuration file is here: > > http://swapoff.org/files/authzpolicy.conf > > Note: The plugin still has some issues with rule ordering that need to be > worked out. > > Example code using the new system: > > # Backwards compatibility > 'WIKI_VIEW' in perm > # Check for permission in "context" (resource identifier) > 'WIKI_VIEW' in perm(context) > # Check for permission in a particular "realm" > 'WIKI_VIEW' in perm('wiki') > # Check for permission on a particular object in a realm > 'WIKI_VIEW' in perm('wiki', 'WikiStart') > # Check for permission on a particular version of an object in a realm > 'WIKI_VIEW' in perm('wiki', 'WikiStart', 31) > > Feedback welcome. > > Alec > > -- > Evolution: Taking care of those too stupid to take care of themselves. > -- Evolution: Taking care of those too stupid to take care of themselves. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
