New permission system

[Cinc-th]

SimpleMultiProjectPlugin uses a separate permission system to restrict users from accessing certain projects.

Projects should integrate with the permission system provided by Trac. This way the plugin in the end may work with TracFineGrainedPermissions helping admins to better set restrictions on resources.

A side effect may be that less code is necessary for filtering data, because Trac is doing the heavy lifting for us.

Changes

• rework admin page to remove current permission system
• new permission policy provider for tickets/components/milestones/...
• automatically migrate current users to new permission system (environment upgrade) if feasible
• ...

[Cinc-th]

In 17802:

SimpleMultiProjectPlugin: new permission provider plugin. Test cases for permission provider plugin. Some additional methods for SmpProject model for project adding and deletion.

Refs #13850

[Cinc-th]

Quick outline how the new permission system should work:

Each project has a unique id up to now not visible to the user. The uniqueness is enforced by the underlying database.

For each project a permission PROJECT_<id>_MEMBER is automatically created by a permission provider.

Using the Trac permission admin panel PROJECT_<id>_MEMBER can be assigned to users like any other permission to give them access to the projects tickets and other data.

A permission policy plugin checks the assigned permissions when resources are queried.

---

Caveats:

Currently it's possible to define negated permissions (using '!') with SimpleMultiProjectPlugin. This feature will be gone with the new permission system.

[Cinc-th]

In 17803:

SimpleMultiProjectPlugin: don't provide per project permissions for now. Will be activated later when the new permission system is in place.

Refs #13850

[Cinc-th]

In 17807:

SimpleMuliProjectPlugin: tag release 0.7.1. This is the last version fully supporting the legacy permission system.

Refs #13850

[Cinc-th]

In 17810:

SimpleMultiProjectPlugin: implemented new permission system, new admin page, unit tests and more.

• The new permission system uses Trac permissions instead of a private user list
• Admin page for projects rewritten to use the new permissions and for license reasons
• Changed field types in SMP database tables from varchar(255) to text (see #13510 for info)
• Unit tests for new features
• removal of obsolete code

Refs #13850
closes #13510

[Cinc-th]

When a project is marked as restricted tickets belonging to it are hidden. You may give users access by assigning the permission PROJECT_<id>_MEMBER using the Trac permission admin panel. <id> is the unique project ID shown on the project admin page not the project name.

Note that [17810] probably introduces regressions wrt permissions.

• So far filtering of tickets in general and when doing custom queries is working.
• This filtering also applies to the timeline page.

Only tickets of projects the user has permissions for are shown and tickets of projects without any user restrictions.

No access filtering for milestones, components and versions yet.

[Cinc-th]

In 17811:

SimpleMultiProjectPlugin: project tables on milestone, version and component admin pages didn't have correct projects because the old permission checks were used.

Removed obsolete template files. Bumped version to 0.7.2.

Refs #13850

[Cinc-th]

In 17813:

SimpleMultiProjectPlugin: added permission check for milestones.

This works for all pages where milestones are used/visible thanks to Tracs permission system:

• Roadmap page
• Query page
• Ticket pages
• ...

Refs #13850

[Cinc-th]

In 17814:

SimpleMultiProjectPlugin: project tables on roadmap and timeline pages didn't have correct projects because the old permission checks were used.

• Added unit tests
• Preselect All in project tables for roadmap and timeline if no user selection is made

Refs #13850

[Cinc-th]

In 17815:

SimpleMultiProjectPlugin: started to rewrite ticket handling to use new permission system and for licensing reasons.

• Component filtering for ticket page implemented. No additional filtering according to project selection yet.

Refs #13850
Refs #13849

[Cinc-th]

In 17816:

SimpleMultiProjectPlugin: new rewrite ticket handling to use new permission system and for licensing reasons.

• project filtering for ticket page implemented.
• version filtering for ticket page implemented. No additional filtering according to project selection yet.

Refs #13850
Refs #13849

[Cinc-th]

In 17817:

SimpleMultiProjectPlugin: removed obsolete code.

Refs #13850
Refs #13849

[Cinc-th]

In 17819:

SimpleMultiProjectPlugin: removed obsolete javascriptfile. Follow-up to [17818].

Refs #13850
Refs #13849

[Cinc-th]

In 17820:

SimpleMultiProjectPlugin: added filtering by project for milestones.

Filtering by access right was already implemented, see [17815], [17816].

Refs #13850
Refs #13849

[Cinc-th]

In 17823:

SimpleMultiProjectPlugin: roadmap grouping by project was broken because the old permission checks were used.

Refs #13850

[Cinc-th]

In 17826:

SimpleMultiProjectPlugin: added filtering by permission on the query page for components and version.

Note that there is no filtering by project in place.

Refs #13850
Refs #11572

[Cinc-th]

In 17827:

SimpleMultiProjectPlugin: show project name as a tooltip for project permissions on the admin page for Trac permissions.

Refs #13850

[Cinc-th]

The new permission system is in place and functional. It is implemented by a new permission policy SmpPermissionPolicy and additional request filtering. The latter is necessary because TracFineGrainedPermissions are limited to some resources, notably excluding versions and components.

For permission checking and proper filtering the permission policy plugin must be activated and configured in trac.ini.

[trac]
permission_policies = SmpPermissionPolicy, ... any other ...

You may mark a project as restricted on the project admin page which has the following effects.

• Tickets linked with a restricted project can't be accessed by users without permissions.

This works for individual ticket pages, ticket queries, the timeline page and everywhere else a ticket is shown.

• Milestones belonging to restricted projects can't be accessed without permissions.

This affects ticket queries, the roadmap and timeline pages and individual ticket pages.

• Components and versions of restricted projects are not available for queries or when creating/modifying ticket pages.

Projects without restrictions and their linked resources can be accessed by any user. Normal Trac permission settings apply.

You may give users access by assigning the permission PROJECT_<id>_MEMBER using the Trac permission admin panel. <id> is the unique project ID shown on the project admin page not the project name. For more control over individual resources the normal Trac permissions are available.

This means the project permission is a coarse filter to only prevent global project resources access. You can't have individual fine grained resource access for different projects because normal Trac permissions are defined for all projects. Use TracFineGrainedPermissions if you need such control.

[Cinc-th]

In 17829:

SimpleMultiProjectPlugin: follow-up to [17827]. The javascript file actually doing the work of preparing the tooltip data was missing.

Refs #13850