Commits

Olemis Lang committed 288d3cf

TracBasicMacros: Access control to config options (trac.ini + PermissionsSystem)

  • Participants
  • Parent commits 484d0ab

Comments (0)

Files changed (1)

File trac-dev/tracbm/tracbm/config.py

 from trac.core import TracError, Interface
 from trac.config import *
 from trac.config import _TRUE_VALUES
+from trac.util.compat import all
 from trac.util.text import to_unicode
 from trac.util.translation import _
 from trac.wiki.api import parse_args
                             the interface are returned, with those specified 
                             by the option ordered first (optional if type is 
                             `extension_list`).
+    
+    Note: In order to render the target information the approprioate permission 
+            have to be granted by specifying a (comma-separated) list of 
+            permission names in options of the form `section.option`, 
+            `section.*` or , `*` in `config-perm` section. For instance the 
+            following configuration
+            
+            {{{
+            [config-perm]
+            * = WIKI_ADMIN, TICKET_ADMIN
+            project.* = WIKI_VIEW
+            project.name = *
+            }}}
+            
+            allows users having `WIKI_ADMIN` and `TICKET_ADMIN` permissions to view 
+            all configuration options, in addition all those having `WIKI_VIEW` 
+            permission may see all options under `project` section, and finally 
+            option `project.name` may be seen by everybody.
     """
     OPTION_MAP = {Option: 'text',
                     BoolOption: 'bool',
                     }
     
     def expand_macro(self, formatter, name, content):
-        # TODO: Implement `type` and `sep` options
         # TODO: Permissions for sections and individual options
         args, kw = parse_args(content)
         try :
             raise TracError(_('Specify both section and option name, and nothing else'))
         else :
             s = s.strip() ; o = o.strip()
+            perm_options = tuple(('%s.%s,%s.*,*' % (s, o, s)).split(','))
+            req = formatter.context.req
+            getlist = self.config.getlist
+            if 'TRAC_ADMIN' not in req.perm and \
+                    all(p != '*' and p not in req.perm for _o in perm_options \
+                                            for p in getlist('config-perm', _o, \
+                                                            keep_empty=False)):
+                self.log.warning('Preventing user `%s` from reading option '
+                                    '`%s` in `%s`', req.authname, o, s)
+                raise TracError(_('Insufficient privileges '
+                                    'to perform this operation.') + 
+                                    _(' Check %s, %s, %s in trac.ini') % perm_options)
             opt_type = kw.get('type', 'auto')
             self.log.debug('Rendering config option %s in %s using %s', 
                             o, s, opt_type)