trac-ticketlinks / sample-plugins / permissions /

Full commit
# -*- coding: utf-8 -*-
# Copyright (C) 2007-2008 Edgewall Software
# Copyright (C) 2007 Alec Thomas <>
# All rights reserved.
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
# are also available at
# This software consists of voluntary contributions made by many
# individuals. For the exact contribution history, see the revision
# history and logs, available at
# Author: Alec Thomas <>

revision = "$Rev$"
url = "$URL$"

"""Permission policy enforcement through an authz-like configuration file.

Refer to SVN documentation for syntax of the authz file. Groups are supported.

As the fine-grained permissions brought by this permission policy are often
used in complement of the other pemission policies (like the
DefaultPermissionPolicy), there's no need to redefine all the permissions
here. Only additional rights or restrictions should be added.


Note that this plugin requires the `configobj` package:
You should be able to install it by doing a simple `easy_install configobj`

Enabling this policy requires listing it in the trac.ini:

permission_policies = AuthzPolicy, DefaultPermissionPolicy

authz_file = conf/authzpolicy.conf

This means that the AuthzPolicy permissions will be checked first, and only
if no rule is found will the DefaultPermissionPolicy be used.


The authzpolicy.conf file is a .ini style configuration file.

 - Each section of the config is a glob pattern used to match against a Trac
   resource descriptor. These descriptors are in the form:

     <realm>:<id>@<version>[/<realm>:<id>@<version> ...]

   Resources are ordered left to right, from parent to child.
   If any component is inapplicable, * is substituted.
   If the version pattern is not specified explicitely, all versions (@*)
   is added implicitly

   e.g. the WikiStart page will be matched by:

   e.g. An attachment on WikiStart:


   any of the following sections would match it:


 - Sections are checked against the current Trac resource **IN ORDER** of
   appearance in the configuration file. ORDER IS CRITICAL.

 - Once a section matches, the current username is matched, **IN ORDER**,
   against the keys of the section. If a key is prefixed with a @, it is
   treated as a group. If a key is prefixed with a !, the permission is denied
   rather than granted. The username will match any of 'anonymous',
   'authenticated', <username> or '*', using normal Trac permission rules.

Example configuration:

    administrators = athomas


    @administrators = WIKI_ADMIN
    anonymous = WIKI_VIEW
    * = WIKI_VIEW

    # Deny access to page templates
    * =

    # Match everything else
    @administrators = TRAC_ADMIN
    # Give authenticated users some extra permissions
    authenticated = REPO_SEARCH, XML_RPC


import os
from fnmatch import fnmatch
from trac.core import *
from trac.config import Option
from trac.util.compat import set, groupby
from trac.perm import PermissionSystem, IPermissionPolicy
from configobj import ConfigObj

class AuthzPolicy(Component):


    authz_file = Option('authz_policy', 'authz_file', None,
                        'Location of authz policy configuration file.')

    authz = None
    authz_mtime = None

    # IPermissionPolicy methods
    def check_permission(self, action, username, resource, perm):
        if self.authz_file and not self.authz_mtime or \
                os.path.getmtime(self.get_authz_file()) > self.authz_mtime:
        resource_key = self.normalise_resource(resource)
        self.log.debug('Checking %s on %s', action, resource_key)
        permissions = self.authz_permissions(resource_key, username)
        if permissions is None:
            return None                 # no match, can't decide
        elif permissions == ['']:
            return False                # all actions are denied

        # FIXME: expand all permissions once for all
        ps = PermissionSystem(self.env)
        for deny, perms in groupby(permissions,
                                    key=lambda p: p.startswith('!')):
            if deny and action in ps.expand_actions([p[1:] for p in perms]):
                return False            # action is explicitly denied
            elif action in ps.expand_actions(perms):
                return True            # action is explicitly granted

        return None                    # no match for action, can't decide

    # Internal methods

    def get_authz_file(self):
        f = self.authz_file
        return os.path.isabs(f) and f or os.path.join(self.env.path, f)

    def parse_authz(self):
        self.env.log.debug('Parsing authz security policy %s' %
        self.authz = ConfigObj(self.get_authz_file())
        self.groups_by_user = {}
        for group, users in self.authz.get('groups', {}).iteritems():
            if isinstance(users, basestring):
                users = [users]
            for user in users:
                self.groups_by_user.setdefault(user, set()).add('@' + group)
        self.authz_mtime = os.path.getmtime(self.get_authz_file())

    def normalise_resource(self, resource):
        def flatten(resource):
            if not resource or not (resource.realm or
                return []
            # XXX Due to the mixed functionality in resource we can end up with
            # ticket, ticket:1, ticket:1@10. This code naively collapses all
            # subsets of the parent resource into one. eg. ticket:1@10
            parent = resource.parent
            while parent and (resource.realm == parent.realm or \
                    (resource.realm == parent.realm and ==
                parent = parent.parent
            if parent:
                parent = flatten(parent)
                parent = []
            return parent + ['%s:%s@%s' % (resource.realm or '*',
                                  or '*',
                                           resource.version or '*')]
        return '/'.join(flatten(resource))

    def authz_permissions(self, resource_key, username):
        # TODO: Handle permission negation in sections. eg. "if in this
        # ticket, remove TICKET_MODIFY"
        valid_users = ['*', 'anonymous']
        if username and username != 'anonymous':
            valid_users += ['authenticated', username]
        for resource_section in [a for a in self.authz.sections
                                 if a != 'groups']:
            resource_glob = resource_section
            if '@' not in resource_glob:
                resource_glob += '@*'

            if fnmatch(resource_key, resource_glob):
                section = self.authz[resource_section]
                for who, permissions in section.iteritems():
                    if who in valid_users or \
                            who in self.groups_by_user.get(username, []):
                        self.env.log.debug('%s matched section %s for user %s'
                                % (resource_key, resource_glob, username))
                        if isinstance(permissions, basestring):
                            return [permissions]
                            return permissions
        return None