|Version 13 (modified by trac, 11 months ago) (diff)|
Set up restricted areas with access only for privileged users in Trac 0.10.x
The RestrictedAreaPlugin is a pretty simple Trac plugin that allows the Trac administrator to set up restricted areas which are accessible only for privileged users in Trac 0.10.x installations. The access is controlled via the new Trac action RESTRICTED_AREA_ACCESS and a list of paths configured in the Trac INI-file.
IMPORTANT WARNING: Don't use the plugin for trying to hide sensitive data! The plugin is only a very simple protection against viewing Trac pages with restricted access! As pointed out by #2116 and #2364 not all parts of a restricted area can be restricted from visibility. With enough efforts it is thus possible to view all parts of a restricted page without the need of direct access to it. Unfortunately it isn't easily possible to further restrict access with Trac 0.10.x.
The plugin is tested only in our Trac environment which is a version 0.10.3 installation and in a 0.10.4 installation; it's known to not work with version 0.10.2 (cf. bug #1184) and will probably not work with earlier versions either. If you are running the plugin successfully in any other installation than the ones mentioned, then please edit this page accordingly -- alternatively file an informational ticket and I'll add the information myself ;-) Thanks!
Hint: For the newer Trac versions (0.11 and higher) the plugin will probably not work. But here the plugin should not be needed anyway as Trac has a fine-grained permission system included by default since 0.11. Head over to the SecurityBranch for more information on this.
If you have any issues, create a new ticket.
To enable the plugin, add the following line to the [components] section of your Trac INI-file:
restrictedarea.filter.* = enabled
If you don't explicitly set anything, the path /wiki/restricted has restricted access only. Usually, however, you will specify your own restricted areas via paths in the Trac INI-file. Therefore you add the [restrictedarea] section with paths specified in the following form:
[restrictedarea] paths = /wiki/secret, /wiki/area51
Finally you have to add RESTRICTED_AREA_ACCESS action permissions to each subject (users or groups) that may access the pages below the specified paths -- just like you would do with any of the Trac built-in actions.
The plugin was originally inspired by the HttpAuthPlugin. It was developed at the German Research Center for Artificial Intelligence, DFKI by me, Christian Spurk. Suggestions and feedback are always welcome; please note, however, that the plugin is my very first Python work and was developed during my first few weeks of contact with Trac. That means I'm neither a Python nor a Trac guru at all, so if you suggest enhancements to the plugin, then it would help a lot to give me some hints on how to implement certain things.
Finally if you're successfully using the RestrictedAreaPlugin I'd be happy to hear from you; just drop me a line, so I can see the plugin is appreciated and actually useful for someone -- thanks in advance :-)