Modify

Opened 15 months ago

Closed 15 months ago

Last modified 15 months ago

#13850 closed enhancement (fixed)

New permission system

Reported by: Cinc-th Owned by: Cinc-th
Priority: normal Component: SimpleMultiProjectPlugin
Severity: normal Keywords:
Cc: Trac Release: 1.2

Description

SimpleMultiProjectPlugin uses a separate permission system to restrict users from accessing certain projects.

Projects should integrate with the permission system provided by Trac. This way the plugin in the end may work with TracFineGrainedPermissions helping admins to better set restrictions on resources.

A side effect may be that less code is necessary for filtering data, because Trac is doing the heavy lifting for us.

Changes

  • rework admin page to remove current permission system
  • new permission policy provider for tickets/components/milestones/...
  • automatically migrate current users to new permission system (environment upgrade) if feasible
  • ...

Attachments (0)

Change History (20)

comment:1 Changed 15 months ago by Cinc-th

In 17802:

SimpleMultiProjectPlugin: new permission provider plugin. Test cases for permission provider plugin. Some additional methods for SmpProject model for project adding and deletion.

Refs #13850

comment:2 Changed 15 months ago by Cinc-th

Quick outline how the new permission system should work:

Each project has a unique id up to now not visible to the user. The uniqueness is enforced by the underlying database.

For each project a permission PROJECT_<id>_MEMBER is automatically created by a permission provider.

Using the Trac permission admin panel PROJECT_<id>_MEMBER can be assigned to users like any other permission to give them access to the projects tickets and other data.

A permission policy plugin checks the assigned permissions when resources are queried.


Caveats:

Currently it's possible to define negated permissions (using '!') with SimpleMultiProjectPlugin. This feature will be gone with the new permission system.

comment:3 Changed 15 months ago by Cinc-th

In 17803:

SimpleMultiProjectPlugin: don't provide per project permissions for now. Will be activated later when the new permission system is in place.

Refs #13850

comment:4 Changed 15 months ago by Cinc-th

In 17807:

SimpleMuliProjectPlugin: tag release 0.7.1. This is the last version fully supporting the legacy permission system.

Refs #13850

comment:5 Changed 15 months ago by Cinc-th

Status: assignedaccepted

comment:6 Changed 15 months ago by Cinc-th

In 17810:

SimpleMultiProjectPlugin: implemented new permission system, new admin page, unit tests and more.

  • The new permission system uses Trac permissions instead of a private user list
  • Admin page for projects rewritten to use the new permissions and for license reasons
  • Changed field types in SMP database tables from varchar(255) to text (see #13510 for info)
  • Unit tests for new features
  • removal of obsolete code

Refs #13850
closes #13510

comment:7 Changed 15 months ago by Cinc-th

When a project is marked as restricted tickets belonging to it are hidden. You may give users access by assigning the permission PROJECT_<id>_MEMBER using the Trac permission admin panel. <id> is the unique project ID shown on the project admin page not the project name.

Note that [17810] probably introduces regressions wrt permissions.

  • So far filtering of tickets in general and when doing custom queries is working.
  • This filtering also applies to the timeline page.

Only tickets of projects the user has permissions for are shown and tickets of projects without any user restrictions.

No access filtering for milestones, components and versions yet.

comment:8 Changed 15 months ago by Cinc-th

In 17811:

SimpleMultiProjectPlugin: project tables on milestone, version and component admin pages didn't have correct projects because the old permission checks were used.

Removed obsolete template files. Bumped version to 0.7.2.

Refs #13850

comment:9 Changed 15 months ago by Cinc-th

In 17813:

SimpleMultiProjectPlugin: added permission check for milestones.

This works for all pages where milestones are used/visible thanks to Tracs permission system:

  • Roadmap page
  • Query page
  • Ticket pages
  • ...

Refs #13850

comment:10 Changed 15 months ago by Cinc-th

In 17814:

SimpleMultiProjectPlugin: project tables on roadmap and timeline pages didn't have correct projects because the old permission checks were used.

  • Added unit tests
  • Preselect All in project tables for roadmap and timeline if no user selection is made

Refs #13850

comment:11 Changed 15 months ago by Cinc-th

In 17815:

SimpleMultiProjectPlugin: started to rewrite ticket handling to use new permission system and for licensing reasons.

  • Component filtering for ticket page implemented. No additional filtering according to project selection yet.

Refs #13850
Refs #13849

comment:12 Changed 15 months ago by Cinc-th

In 17816:

SimpleMultiProjectPlugin: new rewrite ticket handling to use new permission system and for licensing reasons.

  • project filtering for ticket page implemented.
  • version filtering for ticket page implemented. No additional filtering according to project selection yet.

Refs #13850
Refs #13849

comment:13 Changed 15 months ago by Cinc-th

In 17817:

SimpleMultiProjectPlugin: removed obsolete code.

Refs #13850
Refs #13849

comment:14 Changed 15 months ago by Cinc-th

In 17819:

SimpleMultiProjectPlugin: removed obsolete javascriptfile. Follow-up to [17818].

Refs #13850
Refs #13849

comment:15 Changed 15 months ago by Cinc-th

In 17820:

SimpleMultiProjectPlugin: added filtering by project for milestones.

Filtering by access right was already implemented, see [17815], [17816].

Refs #13850
Refs #13849

comment:16 Changed 15 months ago by Cinc-th

In 17823:

SimpleMultiProjectPlugin: roadmap grouping by project was broken because the old permission checks were used.

Refs #13850

comment:17 Changed 15 months ago by Cinc-th

In 17826:

SimpleMultiProjectPlugin: added filtering by permission on the query page for components and version.

Note that there is no filtering by project in place.

Refs #13850
Refs #11572

comment:18 Changed 15 months ago by Cinc-th

In 17827:

SimpleMultiProjectPlugin: show project name as a tooltip for project permissions on the admin page for Trac permissions.

Refs #13850

comment:19 Changed 15 months ago by Cinc-th

Resolution: fixed
Status: acceptedclosed
Trac Release: 1.2

The new permission system is in place and functional. It is implemented by a new permission policy SmpPermissionPolicy and additional request filtering. The latter is necessary because TracFineGrainedPermissions are limited to some resources, notably excluding versions and components.

For permission checking and proper filtering the permission policy plugin must be activated and configured in trac.ini.

[trac]
permission_policies = SmpPermissionPolicy, ... any other ...

You may mark a project as restricted on the project admin page which has the following effects.

  • Tickets linked with a restricted project can't be accessed by users without permissions.

This works for individual ticket pages, ticket queries, the timeline page and everywhere else a ticket is shown.

  • Milestones belonging to restricted projects can't be accessed without permissions.

This affects ticket queries, the roadmap and timeline pages and individual ticket pages.

  • Components and versions of restricted projects are not available for queries or when creating/modifying ticket pages.

Projects without restrictions and their linked resources can be accessed by any user. Normal Trac permission settings apply.

You may give users access by assigning the permission PROJECT_<id>_MEMBER using the Trac permission admin panel. <id> is the unique project ID shown on the project admin page not the project name. For more control over individual resources the normal Trac permissions are available.

This means the project permission is a coarse filter to only prevent global project resources access. You can't have individual fine grained resource access for different projects because normal Trac permissions are defined for all projects. Use TracFineGrainedPermissions if you need such control.

Last edited 15 months ago by Cinc-th (previous) (diff)

comment:20 Changed 15 months ago by Cinc-th

In 17829:

SimpleMultiProjectPlugin: follow-up to [17827]. The javascript file actually doing the work of preparing the tooltip data was missing.

Refs #13850

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Cinc-th.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.