Opened 16 years ago
Closed 13 years ago
#3194 closed defect (fixed)
Access restriction to private wikis for anonymous users
| Reported by: | Jay | Owned by: | Nathan Lewis |
|---|---|---|---|
| Priority: | normal | Component: | PrivateWikiPlugin |
| Severity: | critical | Keywords: | |
| Cc: | holle@… | Trac Release: | 0.11 |
Description
Hi, Just tried this on 0.11rc2, as far as I can tell, it didn't work:
Installed the plugin, enabled it. set the handler to first in the list, added the [privatewikis] section, and protected a couple pages. I then restarted the server, gave myself permissions to one of the pages, and created the "protected page" I gave myself permissions to. Went to another machine, accessed the trac anonymously, and was able to navigate to the page. No errors in log.
Trac 0.11rc2, apache 2.2 python 2.5.2, mod_python under windows. Using SSPI authentication via windows domain controller. Sorry if there is already a ticket for this, clicking your existing tickets comes up blank.
feel free to email me, I know there aren't many details. I can add some debug code or something.
Attachments (2)
Change History (19)
comment:1 Changed 16 years ago by
| Cc: | holle@… added; anonymous removed |
|---|
Changed 16 years ago by
| Attachment: | privatewikiplugin-0.11-perms.diff added |
|---|
Fixes permisson check for anonymous users
comment:2 Changed 16 years ago by
The attached privatewikiplugin-0.11-perms.diff adds working code for this plugin to deny anonymous users access to private pages _but_ leaves access open to any other page.
BTW: I got it up and running by adding: [components] privatewiki.api.privatewikisystem = enabled
which is on the page but can be easiely overseen ...
comment:3 Changed 16 years ago by
Same problem as described. The fix worked for me. perfect!
Thank you
comment:4 follow-up: 6 Changed 16 years ago by
the attached change forces anonymous users to never have access to a private page. I can foresee a case where a user may want to allow anonymous to view a page but just not be able to edit it.
That and the posted code crashes when anonymous trys to view tickets, or, i suspect, anything non-wiki based.
how about a simpler change just removing the username from line 26
from
if username == 'anonymous' or resource is None or resource.id is None:
to
if resource is None or resource.id is None:
It looks like check_wiki_access handles anonymous's premission just fine... makes you wonder why that condition is in the if.
python 2.4.3, Trac 0.11.1
comment:5 Changed 16 years ago by
I also removed "username == 'anonymous' or" from privatewikiplugin/0.11/privatewiki/api.py and got it to work.
The attached coded breaks trac 0.11 Thanks acamac
comment:6 Changed 16 years ago by
Can confirm that this change works on several different setups with 0.11.1. Not sure who commits it to SVN?
Replying to acamac:
the attached change forces anonymous users to never have access to a private page. I can foresee a case where a user may want to allow anonymous to view a page but just not be able to edit it.
That and the posted code crashes when anonymous trys to view tickets, or, i suspect, anything non-wiki based.
how about a simpler change just removing the username from line 26
from
if username == 'anonymous' or resource is None or resource.id is None:to
if resource is None or resource.id is None:It looks like check_wiki_access handles anonymous's premission just fine... makes you wonder why that condition is in the if.
python 2.4.3, Trac 0.11.1
comment:7 Changed 16 years ago by
| Owner: | changed from Eric Hodges to holle@… |
|---|
can someone please submit the path to SVN and build an new zip file.
It's quite annoying to download code 1 year old, wich contains an already fixed malfunction.
comment:8 Changed 16 years ago by
| Owner: | changed from holle@… to Eric Hodges |
|---|
comment:9 Changed 16 years ago by
Just digged more into it. If you apply the patch from holle@… on 07/01/08 13:49:08 , you will break everything but the wiki for anonymous.
I just changed line 26 to only match if wiki is involved. Please find the fixed patch attached.
Changed 16 years ago by
| Attachment: | privatewikiplugin-0.11-perm_anonymous_wiki_only.diff added |
|---|
only match prems for anonymous if wiki module is in use
comment:11 Changed 15 years ago by
| Owner: | changed from Eric Hodges to anonymous |
|---|
comment:12 Changed 15 years ago by
The download isn't working for me. I followed all instructions but anonymous users can still see private wiki pages.
comment:13 Changed 13 years ago by
| Summary: | Doesn't seem to work → Access restriction to private wikis for anonymous users |
|---|
The patch privatewikiplugin-0.11-perm_anonymous_wiki_only.diff worked for me on a Trac 0.12. Could you consider to apply it on trunk sources?
comment:14 Changed 13 years ago by
| Severity: | major → critical |
|---|
comment:15 Changed 13 years ago by
| Owner: | changed from anonymous to Eric Hodges |
|---|
Assigning this ticket back to plugin author / owner.
comment:16 Changed 13 years ago by
| Owner: | changed from Eric Hodges to Nathan Lewis |
|---|
comment:17 Changed 13 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Committed Patch (attachment:privatewikiplugin-0.11-perm_anonymous_wiki_only.diff) to the svn source: changeset:11107
Does not work under 0.11 (final) at all. Setup as described. Was unable to assign me (or anyone) the PRIVATE_* permissions using the webadmin. They are simply nonexistant.
System: SLES10SP2 Python 2.4.2