| | 291 | === Global vs. Environment permissions === |
| | 292 | |
| | 293 | Starting from release '''v0.3.0''', permissions are not defined globally (unless `global_perms` is set in the environment configuration file), but on per-environment basis. |
| | 294 | |
| | 295 | With environment-wide permissions, it is now possible to define distinct permissions for each Trac environment (as long as their name differ) even if they access the same LDAP directory.[[BR]] |
| | 296 | |
| | 297 | The Trac LDAP permission attribute value are prefixed with the environment name.[[BR]] |
| | 298 | Using the previous example, assuming the environment name is named "test", permission attributes would become: |
| | 299 | {{{ |
| | 300 | dn: uid=courtney,dc=example,dc=org |
| | 301 | objectclass: user |
| | 302 | objectclass: trac |
| | 303 | tracperm: test:TICKET_VIEW |
| | 304 | tracperm: test:REPORT_CREATE |
| | 305 | tracperm: test:REPORT_VIEW |
| | 306 | }}} |
| | 307 | |
| | 308 | It is still possible to use global permissions by setting in the `[ldap]` section of the environment configuration file: |
| | 309 | {{{ |
| | 310 | global_perms = true |
| | 311 | }}} |
| | 312 | |
| | 313 | When a directory contains global permission directives, those permissions apply on every Trac environment accessing the LDAP directory, whichever the `global_perms` value. However, permissions are always created using the current environment permission setting. |
| | 314 | |
| | 315 | From the administrative point of view (`trac-admin`, [http://projects.edgewall.com/trac/wiki/WebAdmin WebAdmin], ...), there are no changes: permission are defined and retrieved as usual. |
| | 316 | |
| | 317 | ''Note:'' The environment ''name'' is based on the root directory of the Trac environment. This means that if you use different environment with the same name, such as: |
| | 318 | `/var/local/trac/test` and `/var/db/test`, they are both named "test" and share the same permissions. This is a known limitation of the current implementation. |
| | 319 | |
