Modify

Opened 6 years ago

Closed 3 years ago

#3194 closed defect (fixed)

Access restriction to private wikis for anonymous users

Reported by: yoheeb@… Owned by: natewlew
Priority: normal Component: PrivateWikiPlugin
Severity: critical Keywords:
Cc: holle@… Trac Release: 0.11

Description

Hi, Just tried this on 0.11rc2, as far as I can tell, it didn't work:

Installed the plugin, enabled it. set the handler to first in the list, added the [privatewikis] section, and protected a couple pages. I then restarted the server, gave myself permissions to one of the pages, and created the "protected page" I gave myself permissions to. Went to another machine, accessed the trac anonymously, and was able to navigate to the page. No errors in log.

Trac 0.11rc2, apache 2.2 python 2.5.2, mod_python under windows. Using SSPI authentication via windows domain controller. Sorry if there is already a ticket for this, clicking your existing tickets comes up blank.

feel free to email me, I know there aren't many details. I can add some debug code or something.

Attachments (2)

privatewikiplugin-0.11-perms.diff (1.5 KB) - added by holle@… 6 years ago.
Fixes permisson check for anonymous users
privatewikiplugin-0.11-perm_anonymous_wiki_only.diff (1.5 KB) - added by anonymous 5 years ago.
only match prems for anonymous if wiki module is in use

Download all attachments as: .zip

Change History (19)

comment:1 Changed 6 years ago by anonymous

  • Cc holle@… added

Does not work under 0.11 (final) at all.
Setup as described. Was unable to assign me (or anyone) the PRIVATE_* permissions using the webadmin. They are simply nonexistant.

System:
SLES10SP2 Python 2.4.2

Changed 6 years ago by holle@…

Fixes permisson check for anonymous users

comment:2 Changed 6 years ago by holle@…

The attached privatewikiplugin-0.11-perms.diff adds working code for this plugin to deny anonymous users access to private pages _but_ leaves access open to any other page.

BTW: I got it up and running by adding:
[components]
privatewiki.api.privatewikisystem = enabled

which is on the page but can be easiely overseen ...

comment:3 Changed 6 years ago by anonymous

Same problem as described.
The fix worked for me. perfect!

Thank you

comment:4 follow-up: Changed 6 years ago by acamac

the attached change forces anonymous users to never have access to a private page. I can foresee a case where a user may want to allow anonymous to view a page but just not be able to edit it.

That and the posted code crashes when anonymous trys to view tickets, or, i suspect, anything non-wiki based.

how about a simpler change just removing the username from line 26

from

if username == 'anonymous' or resource is None or resource.id is None: 

to

if resource is None or resource.id is None:

It looks like check_wiki_access handles anonymous's premission just fine... makes you wonder why that condition is in the if.

python 2.4.3, Trac 0.11.1

comment:5 Changed 6 years ago by Markus

I also removed "username == 'anonymous' or" from privatewikiplugin/0.11/privatewiki/api.py and got it to work.

The attached coded breaks trac 0.11
Thanks acamac

comment:6 in reply to: ↑ 4 Changed 6 years ago by slam

Can confirm that this change works on several different setups with 0.11.1.
Not sure who commits it to SVN?

Replying to acamac:

the attached change forces anonymous users to never have access to a private page. I can foresee a case where a user may want to allow anonymous to view a page but just not be able to edit it.

That and the posted code crashes when anonymous trys to view tickets, or, i suspect, anything non-wiki based.

how about a simpler change just removing the username from line 26

from

if username == 'anonymous' or resource is None or resource.id is None: 

to

if resource is None or resource.id is None:

It looks like check_wiki_access handles anonymous's premission just fine... makes you wonder why that condition is in the if.

python 2.4.3, Trac 0.11.1

comment:7 Changed 5 years ago by DanielP

  • Owner changed from eric256 to holle@…

can someone please submit the path to SVN and build an new zip file.

It's quite annoying to download code 1 year old, wich contains an already fixed malfunction.

comment:8 Changed 5 years ago by anonymous

  • Owner changed from holle@… to eric256

comment:9 Changed 5 years ago by DanielP

Just digged more into it. If you apply the patch from holle@… on 07/01/08 13:49:08 , you will break everything but the wiki for anonymous.

I just changed line 26 to only match if wiki is involved. Please find the fixed patch attached.

Changed 5 years ago by anonymous

only match prems for anonymous if wiki module is in use

comment:10 Changed 5 years ago by ckcin

thanks for the patch, this patch is working for me

comment:11 Changed 4 years ago by anonymous

  • Owner changed from eric256 to anonymous

comment:12 Changed 4 years ago by da.webs@…

The download isn't working for me. I followed all instructions but anonymous users can still see private wiki pages.

comment:13 Changed 3 years ago by gonzague.reydet@…

  • Summary changed from Doesn't seem to work to Access restriction to private wikis for anonymous users

The patch privatewikiplugin-0.11-perm_anonymous_wiki_only.diff worked for me on a Trac 0.12.
Could you consider to apply it on trunk sources?

comment:14 Changed 3 years ago by anonymous

  • Severity changed from major to critical

comment:15 Changed 3 years ago by otaku42

  • Owner changed from anonymous to eric256

Assigning this ticket back to plugin author / owner.

comment:16 Changed 3 years ago by natewlew

  • Owner changed from eric256 to natewlew

comment:17 Changed 3 years ago by natewlew

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from natewlew. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.