Ticket #3194 (closed defect: fixed)

Opened 5 years ago

Last modified 1 year ago

Access restriction to private wikis for anonymous users

Reported by: yoheeb@gmail.com Assigned to: natewlew
Priority: normal Component: PrivateWikiPlugin
Severity: critical Keywords:
Cc: holle@catworkx.de Trac Release: 0.11

Description

Hi, Just tried this on 0.11rc2, as far as I can tell, it didn't work:

Installed the plugin, enabled it. set the handler to first in the list, added the [privatewikis] section, and protected a couple pages. I then restarted the server, gave myself permissions to one of the pages, and created the "protected page" I gave myself permissions to. Went to another machine, accessed the trac anonymously, and was able to navigate to the page. No errors in log.

Trac 0.11rc2, apache 2.2 python 2.5.2, mod_python under windows. Using SSPI authentication via windows domain controller. Sorry if there is already a ticket for this, clicking your existing tickets comes up blank.

feel free to email me, I know there aren't many details. I can add some debug code or something.

Attachments

privatewikiplugin-0.11-perms.diff (1.5 kB) - added by holle@catworkx.de on 07/01/08 13:49:08.
Fixes permisson check for anonymous users
privatewikiplugin-0.11-perm_anonymous_wiki_only.diff (1.5 kB) - added by anonymous on 05/14/09 15:23:48.
only match prems for anonymous if wiki module is in use

Change History

07/01/08 11:01:42 changed by anonymous

  • cc set to holle@catworkx.de.

Does not work under 0.11 (final) at all. Setup as described. Was unable to assign me (or anyone) the PRIVATE_* permissions using the webadmin. They are simply nonexistant.

System: SLES10SP2 Python 2.4.2

07/01/08 13:49:08 changed by holle@catworkx.de

  • attachment privatewikiplugin-0.11-perms.diff added.

Fixes permisson check for anonymous users

07/01/08 13:52:29 changed by holle@catworkx.de

The attached privatewikiplugin-0.11-perms.diff adds working code for this plugin to deny anonymous users access to private pages _but_ leaves access open to any other page.

BTW: I got it up and running by adding: [components] privatewiki.api.privatewikisystem = enabled

which is on the page but can be easiely overseen ...

10/08/08 11:08:39 changed by anonymous

Same problem as described. The fix worked for me. perfect!

Thank you

(follow-up: ↓ 6 ) 10/23/08 20:26:09 changed by acamac

the attached change forces anonymous users to never have access to a private page. I can foresee a case where a user may want to allow anonymous to view a page but just not be able to edit it.

That and the posted code crashes when anonymous trys to view tickets, or, i suspect, anything non-wiki based.

how about a simpler change just removing the username from line 26

from 

if username == 'anonymous' or resource is None or resource.id is None:

to 

if resource is None or resource.id is None:

It looks like check_wiki_access handles anonymous's premission just fine... makes you wonder why that condition is in the if.

python 2.4.3, Trac 0.11.1

10/28/08 01:48:20 changed by Markus

I also removed "username == 'anonymous' or" from privatewikiplugin/0.11/privatewiki/api.py and got it to work.

The attached coded breaks trac 0.11 Thanks acamac

(in reply to: ↑ 4 ) 11/03/08 12:38:41 changed by slam

Can confirm that this change works on several different setups with 0.11.1. Not sure who commits it to SVN?

Replying to acamac:

the attached change forces anonymous users to never have access to a private page. I can foresee a case where a user may want to allow anonymous to view a page but just not be able to edit it. That and the posted code crashes when anonymous trys to view tickets, or, i suspect, anything non-wiki based. how about a simpler change just removing the username from line 26 from {{{ if username == 'anonymous' or resource is None or resource.id is None: }}} to {{{ if resource is None or resource.id is None: }}} It looks like check_wiki_access handles anonymous's premission just fine... makes you wonder why that condition is in the if. python 2.4.3, Trac 0.11.1

05/14/09 14:45:48 changed by DanielP

  • owner changed from eric256 to holle@catworkx.de.

can someone please submit the path to SVN and build an new zip file.

It's quite annoying to download code 1 year old, wich contains an already fixed malfunction.

05/14/09 14:45:58 changed by anonymous

  • owner changed from holle@catworkx.de to eric256.

05/14/09 15:23:15 changed by DanielP

Just digged more into it. If you apply the patch from holle@catworkx.de on 07/01/08 13:49:08 , you will break everything but the wiki for anonymous.

I just changed line 26 to only match if wiki is involved. Please find the fixed patch attached.

05/14/09 15:23:48 changed by anonymous

  • attachment privatewikiplugin-0.11-perm_anonymous_wiki_only.diff added.

only match prems for anonymous if wiki module is in use

05/18/09 22:52:10 changed by ckcin

thanks for the patch, this patch is working for me

05/02/10 06:23:35 changed by anonymous

  • owner changed from eric256 to anonymous.

05/12/10 20:44:10 changed by da.webs@gmail.com

The download isn't working for me. I followed all instructions but anonymous users can still see private wiki pages.

10/03/11 22:09:11 changed by gonzague.reydet@yumantech.org

  • summary changed from Doesn't seem to work to Access restriction to private wikis for anonymous users.

The patch privatewikiplugin-0.11-perm_anonymous_wiki_only.diff worked for me on a Trac 0.12. Could you consider to apply it on trunk sources?

10/03/11 22:09:41 changed by anonymous

  • severity changed from major to critical.

11/11/11 12:40:34 changed by otaku42

  • owner changed from anonymous to eric256.

Assigning this ticket back to plugin author / owner.

01/04/12 02:47:34 changed by natewlew

  • owner changed from eric256 to natewlew.

01/04/12 03:22:02 changed by natewlew

  • status changed from new to closed.
  • resolution set to fixed.

Committed Patch (attachment:privatewikiplugin-0.11-perm_anonymous_wiki_only.diff) to the svn source: changeset:11107

Add/Change #3194 (Access restriction to private wikis for anonymous users)




Change Properties
Action