Changes between Version 2 and Version 3 of TracFineGrainedPermissions


Ignore:
Timestamp:
Jun 26, 2013 2:21:39 PM (11 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TracFineGrainedPermissions

    v2 v3  
     1[[PageOutline(2-5, Contents, floated)]] 
    12= Fine grained permissions = 
    23 
     
    3132==== Configuration ==== 
    3233* Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (still needed for 0.12). 
    33 * Copy authz_policy.py into your plugins directory. 
     34* Copy authz_policy.py into your plugins directory (only for Trac 0.11). 
    3435* Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used. 
    3536* Update your `trac.ini`: 
     
    4041permission_policies = AuthzPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy 
    4142}}} 
    42   2. add a new `[authz_policy]` section 
     43  1. add a new `[authz_policy]` section 
    4344{{{ 
    4445[authz_policy] 
    4546authz_file = /some/trac/env/conf/authzpolicy.conf 
    4647}}} 
    47   3. enable the single file plugin 
     48  1. enable the plugin through [/admin/general/plugin WebAdmin] or by editing the `[components]` section 
    4849{{{ 
    4950[components] 
     
    5455#authz_policy.* = enabled  
    5556}}} 
     57 
     58 
    5659==== Usage Notes ==== 
    5760Note that the order in which permission policies are specified is quite critical,  
     
    107110    denied rather than granted. 
    108111 
    109   The username will match any of 'anonymous', 
    110   'authenticated', <username> or '*', using normal Trac permission rules. 
     112  The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules. || '''Note:''' Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:ticket:5648 #5648] for details about this missing feature || 
    111113 
    112114For example, if the `authz_file` contains: 
     
    190192 
    191193 
     194==== Missing Features ==== 
     195Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac:ticket:9573 #9573], [trac:ticket:5648 #5648]). Patches are partially available, see forgotten authz_policy.2.patch  part of [trac:ticket:6680 #6680]). 
     196 
     197You cannot do the following: 
     198{{{ 
     199[groups] 
     200team1 = a, b, c 
     201team2 = d, e, f 
     202team3 = g, h, i 
     203departmentA = team1, team2 
     204}}} 
     205 
     206Permission groups are not supported either. You cannot do the following: 
     207{{{ 
     208[groups] 
     209permission_level_1 = WIKI_VIEW, TICKET_VIEW 
     210permission_level_2  = permission_level_1, WIKI_MODIFY, TICKET_MODIFY 
     211[*] 
     212@team1 = permission_level_1 
     213@team2 = permission_level_2 
     214@team3 = permission_level_2, TICKET_CREATE 
     215}}} 
     216 
    192217=== !AuthzSourcePolicy  (mod_authz_svn-like permission policy) === #AuthzSourcePolicy 
    193218