| 291 | === Global vs. Environment permissions === |
| 292 | |
| 293 | Starting from release '''v0.3.0''', permissions are not defined globally (unless `global_perms` is set in the environment configuration file), but on per-environment basis. |
| 294 | |
| 295 | With environment-wide permissions, it is now possible to define distinct permissions for each Trac environment (as long as their name differ) even if they access the same LDAP directory.[[BR]] |
| 296 | |
| 297 | The Trac LDAP permission attribute value are prefixed with the environment name.[[BR]] |
| 298 | Using the previous example, assuming the environment name is named "test", permission attributes would become: |
| 299 | {{{ |
| 300 | dn: uid=courtney,dc=example,dc=org |
| 301 | objectclass: user |
| 302 | objectclass: trac |
| 303 | tracperm: test:TICKET_VIEW |
| 304 | tracperm: test:REPORT_CREATE |
| 305 | tracperm: test:REPORT_VIEW |
| 306 | }}} |
| 307 | |
| 308 | It is still possible to use global permissions by setting in the `[ldap]` section of the environment configuration file: |
| 309 | {{{ |
| 310 | global_perms = true |
| 311 | }}} |
| 312 | |
| 313 | When a directory contains global permission directives, those permissions apply on every Trac environment accessing the LDAP directory, whichever the `global_perms` value. However, permissions are always created using the current environment permission setting. |
| 314 | |
| 315 | From the administrative point of view (`trac-admin`, [http://projects.edgewall.com/trac/wiki/WebAdmin WebAdmin], ...), there are no changes: permission are defined and retrieved as usual. |
| 316 | |
| 317 | ''Note:'' The environment ''name'' is based on the root directory of the Trac environment. This means that if you use different environment with the same name, such as: |
| 318 | `/var/local/trac/test` and `/var/db/test`, they are both named "test" and share the same permissions. This is a known limitation of the current implementation. |
| 319 | |