Contents
Remove Trac permissions using a blacklist and/or whitelist
Description
This plugin allows you to remove Trac permissions using a blacklist and/or a whitelist.
This hack was born to be able to archive projects without touching the Trac database, the idea is to use the filter to disable all permissions that allow users to modify it without changing their permissions on the database and be able to restore the project to the original state simply disabling the filter.
To filter permissions as desired the plugin has to be the first one on the permission_policy
list and it works by checking the permissions against the blacklist and the whitelist in that order. If a permission is in both lists it is blacklisted.
The process is as follows:
- If the
blacklist
is available and the permission being considered is on the list thecheck_permission
function returnsFalse
and the permission evaluation stops. - If the
whitelist
is available and the permission we are checking is not on the list thecheck_permission
function returnsFalse
and the permission evaluation stops. - If the evaluation gets here the permission is ignored by the plugin and the next permission policy is checked.
If the boolean option adminmeta
is True, then the filters are ignored for users with the TRAC_ADMIN
permission.
Bugs/Feature Requests
Existing bugs and feature requests for TracPermissionFilterPlugin are here.
If you have any issues, create a new ticket.
defect |
1 / 1 |
---|
Download
Download the zipped source from here.
Source
You can check out TracPermissionFilterPlugin from here using Subversion, or browse the source with Trac.
Installation
General instructions on installing Trac plugins can be found on the TracPlugins page.
Configuration
After enabling the plugin in your trac.ini
file:
[components] tracpermissionfilter.* = enabled
Add a section with the list of permissions to allow:
[permission-filter] whitelist = BROWSER_VIEW,CHANGESET_VIEW,FILE_VIEW,LOG_VIEW,MILESTONE_VIEW,REPORT_SQL_VIEW,REPORT_VIEW,ROADMAP_VIEW,SEARCH_VIEW,TICKET_VIEW,TIMELINE_VIEW,WIKI_VIEW
or a list of permissions to deny:
[permission-filter] blacklist = BROWSER_VIEW
The use of the two lists (black and white) makes sense when using inheritance to avoid repeating long lists. For example, we can have a long whitelist and reduce it only in one project using the blacklist.
The plugin has also an additional boolean option called adminmeta
. If this option is set to True (the default), then the filters don't affect the users with TRAC_ADMIN
permission:
[permission-filer] adminmeta = true
If the variable is set to False
filtering has odd effects on users with the TRAC_ADMIN
permission because we reject based on action
name and TRAC_ADMIN
is a meta permission that usually is not checked directly.
Lastly, remember to put the filter the first on your project permission_policies
:
[trac] permission_policies = PermissionFilter, DefaultPermissionPolicy
Recent Changes
- 13912 by rjollos on 2014-05-07 21:26:21
-
Fixed indentation and replaced tabs with spaces. Fixes #11737.
- 12139 by rjollos on 2012-10-10 01:54:13
-
Fixed incorrect source code encoding (http://www.python.org/dev/peps/pep-0263/).
- 10850 by sto on 2011-10-28 16:08:29
-
Changed TRAC_ADMIN handig and renamed config option
(more)
Author/Contributors
Author: sto
Maintainer: Sergio Talens-Oliag
Contributors: