[[PageOutline(2-5,Contents,pullout)]] = Role-Based Access Control for the Trac Wiki = {{{ #!html
Notice: This macro is deprecated. The functionality is included in the Trac core. See TracFineGrainedPermissions
}}} == Description == WikiRBAC modifies the trac.wiki.web_ui component to enforce Role-Based Access Control on the wiki. Roles are configured as groups within the subversion authz file and ACLs are specified identically to subversion permissions, with the addition of 'c', and 'd' options, which control creation and deletion permissions respectively. See also AuthzWebadminPlugin === Note === As of [382], WikiRBAC can not increase a user's permissions. It can only limit them. That is, if user ''jru'' does not have '''WIKI_MODIFY''' permission, then telling WikiRBAC to let him modify some page or subwiki will not work. The user ''jru'' must have '''WIKI_MODIFY''' permission '''''and''''' WikiRBAC authorization in order to modify a page or subwiki.[[BR]] '''WIKI_ADMIN''' permission overrides all WIKI_RBAC checks. == Bugs/Feature Requests == Existing bugs and feature requests for WikiRbacPatch are [report:9?COMPONENT=WikiRbacPatch here]. If you have any issues, create a [http://trac-hacks.org/newticket?component=WikiRbacPatch&owner=puffy new ticket]. == Download == Download the zipped source from [download:wikirbacpatch here]. (see #803 for a version of the patch that works with 0.10) == Source == You can check out WikiRbacPatch from [http://trac-hacks.org/svn/wikirbacpatch here] using Subversion, or [source:wikirbacpatch browse the source] with Trac. == Example == Install the patch.[[BR]] Add the following to trac.ini's [wiki] section: {{{ authz_svn_module_name = tracwiki authorization_mode = require_all #authz_file = (optional) }}} === Notes === The {{{authz_svn_module}}} directive specifies which subversion module to masquerade as. Recall that an authz section is of the form [ [module]:path ]. Leaving this empty is a bad idea.[[BR]] The {{{authorization_mode}}} option tells the wiki authorization subsystem how to behave. Since the module exposes an extension point, plugins can be written to provide other authorization methods -- specifically, those that are not based around Subversion's Authz file. A setting of {{{require_all}}} means that every authorizer must successfully authorize an operation in order for that operation to be authorized. In contrast, {{{require_one}}} (to be renamed to {{{require_any}}} needs at least one authorizer to approve an operation in order that operation be authorized. Not including this directive, or setting it to any other string (such as {{{none}}}) will result in the RBAC system being deactivated.[[BR]] The {{{authz_file}}} option specifies a path to a file in authz format. This is intended to allow the wiki component to get its authorization from a different file than Subversion's authz, or to provide an authz file when Subversion is not being used. Just as an example, one might add to the subversion authz file (or set the authz_file directive in the wiki section to something appropriate): {{{ [groups] example = mrfoo,mrsbaz losers = somedude [tracwiki:/] * = r #give everyone read access [tracwiki:/WikiStart] @example = rw #give read/write permission to the example group. [tracwiki:/somepath/sample] @losers = rwcd #give the losers group authorization to read, edit, create, and delete wiki pages. }}} Please note that Trac's own prefix, {{{/wiki}}}, has not to be included as it is silently assumed. == Recent Changes == [[ChangeLog(wikirbacpatch, 3)]] == Author/Contributors == '''Author:''' [wiki:puffy] [[BR]] '''Author:''' ''none (deprecated)'' [[BR]] '''Contributors:'''