Opened 9 years ago

Closed 9 years ago

#5380 closed enhancement (fixed)

Fine-grained permissions support

Reported by: osimons Owned by: osimons
Priority: high Component: XmlRpcPlugin
Severity: normal Keywords:
Cc: Trac Release: 0.11


All methods needs to be reviewed to make sure they support Trac 0.11 fine-grained permissions, allowing security policies to have a say about what is returned.

Attachments (1)

t5380-fine_grained_permissions-r6057.diff (18.0 KB) - added by osimons 9 years ago.
Fine-grained permissions (Trac 0.11 security enhancements).

Download all attachments as: .zip

Change History (3)

Changed 9 years ago by osimons

Fine-grained permissions (Trac 0.11 security enhancements).

comment:1 Changed 9 years ago by osimons

attachment:t5380-fine_grained_permissions-r6057.diff makes the XmlRpcPlugin and its default supplied methods support the security model provided by Trac 0.11 - essentially a "by resource" model, so that security "depends"...

To support this, I had to remove the general check for a certain permission and move the permission checks into each function depending on what the function does and what resource it operates on. A user that doesn't have general TICKET_VIEW permissions, may still have TICKET_VIEW for a specific ticket. And, some methods have both like search.performSearch() that has a general SEARCH_VIEW that is really not so useful in itself, but where the hits are also filtered against permissions on a resource level.

Methods using "new-style" permission - ie methods where permission checks should be deferred to the function answering the call - should leave permission empty in its declaration. These methods will always be listed and callable, and are expected to provide the required checks themselves.

Doing it this way means no breakage with regards to API/interfaces for other plugins that may provide additional xml-rpc methods using "old-style". I think that works OK, and is both an intuitive and non-obtrusive change.

Call for feedback: The web page with method overview, as well as various system methods use the general permission to restrict view. With most methods now not restricted as "it depends", I'm leaning towards removing these checks so that the full API is always published for all with XML_RPC permission. Permissions are restricted only when calls are made. I'll cast my vote in favour of full API always being published, but I'll listen to arguments before deciding.

Testing by others welcome - please :-)

comment:2 Changed 9 years ago by osimons

Resolution: fixed
Status: newclosed

(In [6063]) XmlRpcPlugin: Implemented full support for Trac 0.11 fine-grained permissions and security policies. Closes #5380.

This change makes some changes in the displayed set of methods, as the new answer to permissions is "it depends"... It depends on whatever security policies are running on the specific Trac installation. There is therefore new support for specifying None as method permission, but then each method is responsible for checking permissions per resource.

Most important/useful methods now use resource-level permissions, and the method listing and HTML display of API is therefore changed to always list all operative methods. HTML tables is also reformatted to be easier to browse.

Version bumped.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain osimons.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.