Modify

Opened 16 years ago

Closed 13 years ago

#3194 closed defect (fixed)

Access restriction to private wikis for anonymous users

Reported by: Jay Owned by: Nathan Lewis
Priority: normal Component: PrivateWikiPlugin
Severity: critical Keywords:
Cc: holle@… Trac Release: 0.11

Description

Hi, Just tried this on 0.11rc2, as far as I can tell, it didn't work:

Installed the plugin, enabled it. set the handler to first in the list, added the [privatewikis] section, and protected a couple pages. I then restarted the server, gave myself permissions to one of the pages, and created the "protected page" I gave myself permissions to. Went to another machine, accessed the trac anonymously, and was able to navigate to the page. No errors in log.

Trac 0.11rc2, apache 2.2 python 2.5.2, mod_python under windows. Using SSPI authentication via windows domain controller. Sorry if there is already a ticket for this, clicking your existing tickets comes up blank.

feel free to email me, I know there aren't many details. I can add some debug code or something.

Attachments (2)

privatewikiplugin-0.11-perms.diff (1.5 KB) - added by holle@… 16 years ago.
Fixes permisson check for anonymous users
privatewikiplugin-0.11-perm_anonymous_wiki_only.diff (1.5 KB) - added by anonymous 16 years ago.
only match prems for anonymous if wiki module is in use

Download all attachments as: .zip

Change History (19)

comment:1 Changed 16 years ago by anonymous

Cc: holle@… added; anonymous removed

Does not work under 0.11 (final) at all. Setup as described. Was unable to assign me (or anyone) the PRIVATE_* permissions using the webadmin. They are simply nonexistant.

System: SLES10SP2 Python 2.4.2

Changed 16 years ago by holle@…

Fixes permisson check for anonymous users

comment:2 Changed 16 years ago by holle@…

The attached privatewikiplugin-0.11-perms.diff adds working code for this plugin to deny anonymous users access to private pages _but_ leaves access open to any other page.

BTW: I got it up and running by adding: [components] privatewiki.api.privatewikisystem = enabled

which is on the page but can be easiely overseen ...

comment:3 Changed 16 years ago by anonymous

Same problem as described. The fix worked for me. perfect!

Thank you

comment:4 Changed 16 years ago by Aaron Camac

the attached change forces anonymous users to never have access to a private page. I can foresee a case where a user may want to allow anonymous to view a page but just not be able to edit it.

That and the posted code crashes when anonymous trys to view tickets, or, i suspect, anything non-wiki based.

how about a simpler change just removing the username from line 26

from

if username == 'anonymous' or resource is None or resource.id is None: 

to

if resource is None or resource.id is None:

It looks like check_wiki_access handles anonymous's premission just fine... makes you wonder why that condition is in the if.

python 2.4.3, Trac 0.11.1

comment:5 Changed 16 years ago by Markus

I also removed "username == 'anonymous' or" from privatewikiplugin/0.11/privatewiki/api.py and got it to work.

The attached coded breaks trac 0.11 Thanks acamac

comment:6 in reply to:  4 Changed 16 years ago by Chris Hildebrandt

Can confirm that this change works on several different setups with 0.11.1. Not sure who commits it to SVN?

Replying to acamac:

the attached change forces anonymous users to never have access to a private page. I can foresee a case where a user may want to allow anonymous to view a page but just not be able to edit it.

That and the posted code crashes when anonymous trys to view tickets, or, i suspect, anything non-wiki based.

how about a simpler change just removing the username from line 26

from

if username == 'anonymous' or resource is None or resource.id is None: 

to

if resource is None or resource.id is None:

It looks like check_wiki_access handles anonymous's premission just fine... makes you wonder why that condition is in the if.

python 2.4.3, Trac 0.11.1

comment:7 Changed 16 years ago by DanielP

Owner: changed from Eric Hodges to holle@…

can someone please submit the path to SVN and build an new zip file.

It's quite annoying to download code 1 year old, wich contains an already fixed malfunction.

comment:8 Changed 16 years ago by anonymous

Owner: changed from holle@… to Eric Hodges

comment:9 Changed 16 years ago by DanielP

Just digged more into it. If you apply the patch from holle@… on 07/01/08 13:49:08 , you will break everything but the wiki for anonymous.

I just changed line 26 to only match if wiki is involved. Please find the fixed patch attached.

Changed 16 years ago by anonymous

only match prems for anonymous if wiki module is in use

comment:10 Changed 16 years ago by nick carrasco

thanks for the patch, this patch is working for me

comment:11 Changed 15 years ago by anonymous

Owner: changed from Eric Hodges to anonymous

comment:12 Changed 15 years ago by da.webs@…

The download isn't working for me. I followed all instructions but anonymous users can still see private wiki pages.

comment:13 Changed 13 years ago by gonzague.reydet@…

Summary: Doesn't seem to workAccess restriction to private wikis for anonymous users

The patch privatewikiplugin-0.11-perm_anonymous_wiki_only.diff worked for me on a Trac 0.12. Could you consider to apply it on trunk sources?

comment:14 Changed 13 years ago by anonymous

Severity: majorcritical

comment:15 Changed 13 years ago by Michael Renzmann

Owner: changed from anonymous to Eric Hodges

Assigning this ticket back to plugin author / owner.

comment:16 Changed 13 years ago by Nathan Lewis

Owner: changed from Eric Hodges to Nathan Lewis

comment:17 Changed 13 years ago by Nathan Lewis

Resolution: fixed
Status: newclosed

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Nathan Lewis.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.