Opened 8 years ago

Closed 8 years ago

Fine-grained permissions support

Reported by: Owned by: Odd Simon Simonsen Odd Simon Simonsen high XmlRpcPlugin normal 0.11

Description

All methods needs to be reviewed to make sure they support Trac 0.11 fine-grained permissions, allowing security policies to have a say about what is returned.

Changed 8 years ago by Odd Simon Simonsen

Fine-grained permissions (Trac 0.11 security enhancements).

comment:1 Changed 8 years ago by Odd Simon Simonsen

attachment:t5380-fine_grained_permissions-r6057.diff makes the XmlRpcPlugin and its default supplied methods support the security model provided by Trac 0.11 - essentially a "by resource" model, so that security "depends"...

To support this, I had to remove the general check for a certain permission and move the permission checks into each function depending on what the function does and what resource it operates on. A user that doesn't have general TICKET_VIEW permissions, may still have TICKET_VIEW for a specific ticket. And, some methods have both like search.performSearch() that has a general SEARCH_VIEW that is really not so useful in itself, but where the hits are also filtered against permissions on a resource level.

Methods using "new-style" permission - ie methods where permission checks should be deferred to the function answering the call - should leave permission empty in its declaration. These methods will always be listed and callable, and are expected to provide the required checks themselves.

Doing it this way means no breakage with regards to API/interfaces for other plugins that may provide additional xml-rpc methods using "old-style". I think that works OK, and is both an intuitive and non-obtrusive change.

Call for feedback: The web page with method overview, as well as various system methods use the general permission to restrict view. With most methods now not restricted as "it depends", I'm leaning towards removing these checks so that the full API is always published for all with XML_RPC permission. Permissions are restricted only when calls are made. I'll cast my vote in favour of full API always being published, but I'll listen to arguments before deciding.

Testing by others welcome - please :-)

comment:2 Changed 8 years ago by Odd Simon Simonsen

Resolution: → fixed new → closed

(In [6063]) XmlRpcPlugin: Implemented full support for Trac 0.11 fine-grained permissions and security policies. Closes #5380.

This change makes some changes in the displayed set of methods, as the new answer to permissions is "it depends"... It depends on whatever security policies are running on the specific Trac installation. There is therefore new support for specifying None as method permission, but then each method is responsible for checking permissions per resource.

Most important/useful methods now use resource-level permissions, and the method listing and HTML display of API is therefore changed to always list all operative methods. HTML tables is also reformatted to be easier to browse.

Version bumped.

Modify Ticket

Change Properties