#13850 closed enhancement (fixed)
New permission system
Reported by: | Cinc-th | Owned by: | Cinc-th |
---|---|---|---|
Priority: | normal | Component: | SimpleMultiProjectPlugin |
Severity: | normal | Keywords: | |
Cc: | Trac Release: | 1.2 |
Description
SimpleMultiProjectPlugin uses a separate permission system to restrict users from accessing certain projects.
Projects should integrate with the permission system provided by Trac. This way the plugin in the end may work with TracFineGrainedPermissions helping admins to better set restrictions on resources.
A side effect may be that less code is necessary for filtering data, because Trac is doing the heavy lifting for us.
Changes
- rework admin page to remove current permission system
- new permission policy provider for tickets/components/milestones/...
- automatically migrate current users to new permission system (environment upgrade) if feasible
- ...
Attachments (0)
Change History (20)
comment:1 Changed 4 years ago by
comment:2 Changed 4 years ago by
Quick outline how the new permission system should work:
Each project has a unique id up to now not visible to the user. The uniqueness is enforced by the underlying database.
For each project a permission PROJECT_<id>_MEMBER is automatically created by a permission provider.
Using the Trac permission admin panel PROJECT_<id>_MEMBER can be assigned to users like any other permission to give them access to the projects tickets and other data.
A permission policy plugin checks the assigned permissions when resources are queried.
Caveats:
Currently it's possible to define negated permissions (using '!') with SimpleMultiProjectPlugin. This feature will be gone with the new permission system.
comment:5 Changed 4 years ago by
Status: | assigned → accepted |
---|
comment:7 Changed 4 years ago by
When a project is marked as restricted tickets belonging to it are hidden. You may give users access by assigning the permission PROJECT_<id>_MEMBER using the Trac permission admin panel. <id> is the unique project ID shown on the project admin page not the project name.
Note that [17810] probably introduces regressions wrt permissions.
- So far filtering of tickets in general and when doing custom queries is working.
- This filtering also applies to the timeline page.
Only tickets of projects the user has permissions for are shown and tickets of projects without any user restrictions.
No access filtering for milestones, components and versions yet.
comment:19 Changed 4 years ago by
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
Trac Release: | → 1.2 |
The new permission system is in place and functional. It is implemented by a new permission policy SmpPermissionPolicy and additional request filtering. The latter is necessary because TracFineGrainedPermissions are limited to some resources, notably excluding versions and components.
For permission checking and proper filtering the permission policy plugin must be activated and configured in trac.ini.
[trac] permission_policies = SmpPermissionPolicy, ... any other ...
You may mark a project as restricted on the project admin page which has the following effects.
- Tickets linked with a restricted project can't be accessed by users without permissions.
This works for individual ticket pages, ticket queries, the timeline page and everywhere else a ticket is shown.
- Milestones belonging to restricted projects can't be accessed without permissions.
This affects ticket queries, the roadmap and timeline pages and individual ticket pages.
- Components and versions of restricted projects are not available for queries or when creating/modifying ticket pages.
Projects without restrictions and their linked resources can be accessed by any user. Normal Trac permission settings apply.
You may give users access by assigning the permission PROJECT_<id>_MEMBER using the Trac permission admin panel. <id> is the unique project ID shown on the project admin page not the project name. For more control over individual resources the normal Trac permissions are available.
This means the project permission is a coarse filter to only prevent global project resources access. You can't have individual fine grained resource access for different projects because normal Trac permissions are defined for all projects. Use TracFineGrainedPermissions if you need such control.
In 17802: