Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Trac: Users

removing sources access from the default permission

 

 

Trac users RSS feed   Index | Next | Previous | View Threaded


fbrettschneider at baumer

Jun 13, 2012, 1:40 AM

Post #1 of 11 (1043 views)
Permalink
removing sources access from the default permission

Hi,
I expected that
trac-admin /path/to/project permission remove anonymous BROWSER_VIEW
removes the access to the source browser from the default permissions.

But that doesn't work. It seems 'permission remove' cannot remove from the default permissions. Am I right?

How can I prevent anonymous from accessing the sources? I don't actually want that via "lowlevel" Apache configuration.

CU, F [at] l

----
Falk Brettschneider
R&D Software
Baumer Optronic GmbH
www.baumer.com





Gesch?ftsf?hrer: Marcel Seeber * Dr. Oliver Vietze
Sitz der Gesellschaft: Radeberg
Amtsgericht Dresden: HRB 15379
Ust. ID: DE 189714583


--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users [at] googlegroups
To unsubscribe from this group, send email to trac-users+unsubscribe [at] googlegroups
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.


mark.cooke at siemens

Jun 13, 2012, 1:55 AM

Post #2 of 11 (998 views)
Permalink
RE: removing sources access from the default permission [In reply to]

> -----Original Message-----
> From: trac-users [at] googlegroups
> [mailto:trac-users [at] googlegroups] On Behalf Of Brettschneider Falk
> Sent: 13 June 2012 09:41
> To: trac-users [at] googlegroups
> Subject: [Trac] removing sources access from the default permission
>
> Hi,
> I expected that
> trac-admin /path/to/project permission remove anonymous BROWSER_VIEW
> removes the access to the source browser from the default permissions.
>
> But that doesn't work. It seems 'permission remove' cannot
> remove from the default permissions. Am I right?

Nope, I completely remove all anonymous permissions, using a windows bat file.

What does `trac-admin <repo> permission list anonymous` display?

Have you tried the web admin interface instead?

~ mark c

> How can I prevent anonymous from accessing the sources? I
> don't actually want that via "lowlevel" Apache configuration.
>
> CU, F [at] l

--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users [at] googlegroups
To unsubscribe from this group, send email to trac-users+unsubscribe [at] googlegroups
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.


fbrettschneider at baumer

Jun 13, 2012, 2:08 AM

Post #3 of 11 (996 views)
Permalink
RE: removing sources access from the default permission [In reply to]

Cooke, Mark wrote:
> F [at] l wrote:
> > I expected that
> > trac-admin /path/to/project permission remove anonymous BROWSER_VIEW
> > removes the access to the source browser from the default permissions.
> >
> > But that doesn't work. It seems 'permission remove' cannot
> > remove from the default permissions. Am I right?
>
> Nope, I completely remove all anonymous permissions, using a windows bat
> file.
What do you call to remove all anonymous permissions?

> What does `trac-admin <repo> permission list anonymous` display?
User Action
-------------------
anonymous WIKI_VIEW

That's why I set but this is without the default permissions how it looks like.

> Have you tried the web admin interface instead?
yes.

>
> ~ mark c


CU, F [at] l

----
Falk Brettschneider
R&D Software
Baumer Optronic GmbH
www.baumer.com





Gesch?ftsf?hrer: Marcel Seeber * Dr. Oliver Vietze
Sitz der Gesellschaft: Radeberg
Amtsgericht Dresden: HRB 15379
Ust. ID: DE 189714583


--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users [at] googlegroups
To unsubscribe from this group, send email to trac-users+unsubscribe [at] googlegroups
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.


mark.cooke at siemens

Jun 13, 2012, 3:04 AM

Post #4 of 11 (998 views)
Permalink
RE: removing sources access from the default permission [In reply to]

> -----Original Message-----
> From: trac-users [at] googlegroups
> [mailto:trac-users [at] googlegroups] On Behalf Of Brettschneider Falk
> Sent: 13 June 2012 10:08
> To: trac-users [at] googlegroups
> Subject: [Trac] RE: removing sources access from the default
> permission
>
> Cooke, Mark wrote:
> > F [at] l wrote:
> > > I expected that
> > > trac-admin /path/to/project permission remove anonymous
> > > BROWSER_VIEW
> > > removes the access to the source browser from the default
> > > permissions.
> > >
> > > But that doesn't work. It seems 'permission remove' cannot
> > > remove from the default permissions. Am I right?
> >
> > Nope, I completely remove all anonymous permissions, using
> > a windows bat file.
> >
> What do you call to remove all anonymous permissions?

c:\python26\scripts\trac-admin %1 permission remove anonymous '*'

(where %1 is passed in as the repo directory)

> > What does `trac-admin <repo> permission list anonymous` display?
> User Action
> -------------------
> anonymous WIKI_VIEW

...so they should only be able to see the wiki. Sounds odd...

Are you sure your test user is not included in some other group? ...or accessing the svn browser instead of the Trac browser?

~ mark c

> That's why I set but this is without the default permissions
> how it looks like.
>
> > Have you tried the web admin interface instead?
> yes.
>
> >
> > ~ mark c
>
>
> CU, F [at] l
>
> ----
> Falk Brettschneider
> R&D Software
> Baumer Optronic GmbH
> www.baumer.com
>
>
>
>
>
> Gesch?ftsf?hrer: Marcel Seeber * Dr. Oliver Vietze
> Sitz der Gesellschaft: Radeberg
> Amtsgericht Dresden: HRB 15379
> Ust. ID: DE 189714583
>
>
> --
> You received this message because you are subscribed to the
> Google Groups "Trac Users" group.
> To post to this group, send email to trac-users [at] googlegroups
> To unsubscribe from this group, send email to
> trac-users+unsubscribe [at] googlegroups
> For more options, visit this group at
> http://groups.google.com/group/trac-users?hl=en.
>
>

--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users [at] googlegroups
To unsubscribe from this group, send email to trac-users+unsubscribe [at] googlegroups
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.


fbrettschneider at baumer

Jun 13, 2012, 4:10 AM

Post #5 of 11 (996 views)
Permalink
RE: removing sources access from the default permission [In reply to]

Cooke, Mark wrote:
> F [at] l wrote:
> > What do you call to remove all anonymous permissions?
>
> c:\python26\scripts\trac-admin %1 permission remove anonymous '*'
Is this a remove of all permissions set by user or also the default permissions? Can one change the default permissions?

> > User Action
> > -------------------
> > anonymous WIKI_VIEW
>
> ...so they should only be able to see the wiki. Sounds odd...
I also use the UserManagerPlugin. For a certain user who should act with the permissions of anonymous it shows BROWSER_VIEW disabled but checked on, like here: http://trac-hacks.org/attachment/wiki/UserManagerPlugin/screenshot3.png

What does this mean?

>
> Are you sure your test user is not included in some other group?
No, that user is not listed on the Admin permission panel.

> ...or
> accessing the svn browser instead of the Trac browser?
No

>
> ~ mark c



CU, F [at] l

----
Falk Brettschneider
R&D Software
Baumer Optronic GmbH
www.baumer.com





Gesch?ftsf?hrer: Marcel Seeber * Dr. Oliver Vietze
Sitz der Gesellschaft: Radeberg
Amtsgericht Dresden: HRB 15379
Ust. ID: DE 189714583


--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users [at] googlegroups
To unsubscribe from this group, send email to trac-users+unsubscribe [at] googlegroups
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.


mark.cooke at siemens

Jun 13, 2012, 5:28 AM

Post #6 of 11 (994 views)
Permalink
RE: removing sources access from the default permission [In reply to]

> -----Original Message-----
> From: trac-users [at] googlegroups
> [mailto:trac-users [at] googlegroups] On Behalf Of Brettschneider Falk
> Sent: 13 June 2012 12:11
> To: trac-users [at] googlegroups
> Subject: [Trac] RE: removing sources access from the default
> permission
>
> Cooke, Mark wrote:
> > F [at] l wrote:
> > > What do you call to remove all anonymous permissions?
> >
> > c:\python26\scripts\trac-admin %1 permission remove anonymous '*'
> Is this a remove of all permissions set by user or also the
> default permissions? Can one change the default permissions?

The `anonymous` user's permissions is what people get who aren't logged in. The `authenticated` user's permissions are for any known user with no other specific permissions set. The above command removes all permissions from unknown users, so they just see Trac's `you need permissions` page for any URL in that Trac.

> > > User Action
> > > -------------------
> > > anonymous WIKI_VIEW
> >
> > ...so they should only be able to see the wiki. Sounds odd...

> I also use the UserManagerPlugin. For a certain user who
> should act with the permissions of anonymous it shows
> BROWSER_VIEW disabled but checked on, like here:
> http://trac-hacks.org/attachment/wiki/UserManagerPlugin/screenshot3.png
>
> What does this mean?

Ah, sorry, I don't know. It looks like the plugin is enforcing some minimum set of permissions but we don't use it (or the AccountManagerPlugin). It might be worth changing the subject of this question to include the plugin name, might attract someone else to answer. Mind you, I'm not sure that plugin is maintained by the author anymore but maybe `hasienda` is still around?

~ mark c

> >
> > Are you sure your test user is not included in some other group?
> No, that user is not listed on the Admin permission panel.
>
> > ...or
> > accessing the svn browser instead of the Trac browser?
> No
>
> >
> > ~ mark c
>
>
>
> CU, F [at] l
>
> ----
> Falk Brettschneider
> R&D Software
> Baumer Optronic GmbH
> www.baumer.com
>

--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users [at] googlegroups
To unsubscribe from this group, send email to trac-users+unsubscribe [at] googlegroups
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.


fbrettschneider at baumer

Jun 13, 2012, 5:49 AM

Post #7 of 11 (993 views)
Permalink
RE: removing sources access from the default permission [In reply to]

Cooke, Mark wrote:
> F [at] l wrote:
> > Cooke, Mark wrote:
> > > F [at] l wrote:
> > > > What do you call to remove all anonymous permissions?
> > >
> > > c:\python26\scripts\trac-admin %1 permission remove anonymous '*'
> > Is this a remove of all permissions set by user or also the
> > default permissions? Can one change the default permissions?
>
> The `anonymous` user's permissions is what people get who aren't logged
> in. The `authenticated` user's permissions are for any known user with no
> other specific permissions set. The above command removes all permissions
> from unknown users, so they just see Trac's `you need permissions` page
> for any URL in that Trac.

So I understand it as
permission remove
can remove the default permissions _as well_.

>
> > > > User Action
> > > > -------------------
> > > > anonymous WIKI_VIEW
> > >
> > > ...so they should only be able to see the wiki. Sounds odd...
>
> > I also use the UserManagerPlugin. For a certain user who
> > should act with the permissions of anonymous it shows
> > BROWSER_VIEW disabled but checked on, like here:
> > http://trac-hacks.org/attachment/wiki/UserManagerPlugin/screenshot3.png
> >
> > What does this mean?
>
> Ah, sorry, I don't know. It looks like the plugin is enforcing some
> minimum set of permissions

I don't think UserManagerPlugin is guilty. It also happens if UserManagerPlugin is deactivated.

CU, F [at] l

----
Falk Brettschneider
R&D Software
Baumer Optronic GmbH
www.baumer.com



Gesch?ftsf?hrer: Marcel Seeber * Dr. Oliver Vietze
Sitz der Gesellschaft: Radeberg
Amtsgericht Dresden: HRB 15379
Ust. ID: DE 189714583


--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users [at] googlegroups
To unsubscribe from this group, send email to trac-users+unsubscribe [at] googlegroups
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.


mark.cooke at siemens

Jun 13, 2012, 6:13 AM

Post #8 of 11 (995 views)
Permalink
RE: removing sources access from the default permission [In reply to]

> -----Original Message-----
> From: trac-users [at] googlegroups
> [mailto:trac-users [at] googlegroups] On Behalf Of Brettschneider Falk
> Sent: 13 June 2012 13:49
> To: trac-users [at] googlegroups
> Subject: [Trac] RE: removing sources access from the default
> permission
>
> Cooke, Mark wrote:
> > F [at] l wrote:
> > > Cooke, Mark wrote:
> > > > F [at] l wrote:
> > > > > What do you call to remove all anonymous permissions?
> > > >
> > > > c:\python26\scripts\trac-admin %1 permission remove anonymous '*'
> > > Is this a remove of all permissions set by user or also the
> > > default permissions? Can one change the default permissions?
> >
> > The `anonymous` user's permissions is what people get who
> > aren't logged in. The `authenticated` user's permissions
> > are for any known user with no other specific permissions
> > set. The above command removes all permissions from unknown
> > users, so they just see Trac's `you need permissions` page
> > for any URL in that Trac.
>
> So I understand it as
> permission remove
> can remove the default permissions _as well_.

Yes, and the result of your query below shows that as far as vanilla trac is concerned, unknown users will only get the `WIKI_VIEW` permission...

However, is it posisble we are confuing `anonymous` and `authenticated`? What does this show:-

trac-admin <repo> permission list authenticated

> >
> > > > > User Action
> > > > > -------------------
> > > > > anonymous WIKI_VIEW
> > > >
> > > > ...so they should only be able to see the wiki. Sounds odd...
> >
> > > I also use the UserManagerPlugin. For a certain user who
> > > should act with the permissions of anonymous it shows
> > > BROWSER_VIEW disabled but checked on, like here:
> > >
> http://trac-hacks.org/attachment/wiki/UserManagerPlugin/screenshot3.png
> > >
> > > What does this mean?
> >
> > Ah, sorry, I don't know. It looks like the plugin is enforcing some
> > minimum set of permissions
>
> I don't think UserManagerPlugin is guilty. It also happens if
> UserManagerPlugin is deactivated.

...which I believe is based on another plugin: AccountManagerPlugin.

~ mark c

--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users [at] googlegroups
To unsubscribe from this group, send email to trac-users+unsubscribe [at] googlegroups
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.


fbrettschneider at baumer

Jun 13, 2012, 6:34 AM

Post #9 of 11 (992 views)
Permalink
RE: removing sources access from the default permission [In reply to]

Cooke, Mark wrote:
> F [at] l wrote:
>
> However, is it posisble we are confuing `anonymous` and `authenticated`?
> What does this show:-
>
> trac-admin <repo> permission list authenticated

Listing the authenticated permissions gives a lot things including BROWSER_VIEW. Furthermore the "Admin"->"Permissions" web page shows all my users added to "authenticated". It looks like:

Subject Action
---------------------------
anonymous WIKI_VIEW
authenticated BROWSER_VIEW ... plus a lot more
user1 authenticated
user2 authenticated
...
userN authenticated

But I thought that userX (who is not one of the authenticated users) automatically gets anonymous-group permissions since he is not added there at all. Though he can access the Trac URL since Apache lets him in by SSPI Windows domain login control.

> > I don't think UserManagerPlugin is guilty. It also happens if
> > UserManagerPlugin is deactivated.
>
> ...which I believe is based on another plugin: AccountManagerPlugin.
AccountManagerPlugin is not installed here.

CU, F [at] l

----
Falk Brettschneider
R&D Software
Baumer Optronic GmbH
www.baumer.com



Gesch?ftsf?hrer: Marcel Seeber * Dr. Oliver Vietze
Sitz der Gesellschaft: Radeberg
Amtsgericht Dresden: HRB 15379
Ust. ID: DE 189714583


--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users [at] googlegroups
To unsubscribe from this group, send email to trac-users+unsubscribe [at] googlegroups
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.


mark.cooke at siemens

Jun 13, 2012, 6:52 AM

Post #10 of 11 (993 views)
Permalink
RE: removing sources access from the default permission [In reply to]

> -----Original Message-----
> From: trac-users [at] googlegroups On Behalf Of Brettschneider Falk
> Sent: 13 June 2012 14:35
> To: trac-users [at] googlegroups
> Subject: [Trac] RE: removing sources access from the default
> permission
>
> Cooke, Mark wrote:
> > F [at] l wrote:
> >
> > However, is it posisble we are confuing `anonymous` and
> > `authenticated`?
> > What does this show:-
> >
> > trac-admin <repo> permission list authenticated
>
> Listing the authenticated permissions gives a lot things
> including BROWSER_VIEW. Furthermore the
> "Admin"->"Permissions" web page shows all my users added to
> "authenticated". It looks like:
>
> Subject Action
> ---------------------------
> anonymous WIKI_VIEW
> authenticated BROWSER_VIEW ... plus a lot more
> user1 authenticated
> user2 authenticated
> ...
> userN authenticated
>
> But I thought that userX (who is not one of the authenticated
> users) automatically gets anonymous-group permissions since
> he is not added there at all. Though he can access the Trac
> URL since Apache lets him in by SSPI Windows domain login control.

I think we have the problem here in a misunderstanding: your user will get `authenticated` (as will all of your users if you `Require valid-user` in apache). `httpd` passes the user's ID through to Trac which then accepts your user as `authenticated` (by apache) and applies the permissions for that group.

In my setup, I revoke all `anonymous` and `authenticated` permissions and define my own groups (`gPigs` and `gChickens` for the agile amongst you...) just to avoid this sort of problem.

What you want to do is rename your current `authenticated` permissions but you cannot do that through the UI (you could if you use some SQL against the dB backend), so the easiest route is probably to dump the current permissions to a file and use that to build a bat to create a new group and ressign all your (known) users to this group instead of `authenticated`.

Hope that helps,

~ mark c

--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users [at] googlegroups
To unsubscribe from this group, send email to trac-users+unsubscribe [at] googlegroups
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.


fbrettschneider at baumer

Jun 13, 2012, 7:10 AM

Post #11 of 11 (992 views)
Permalink
RE: removing sources access from the default permission [In reply to]

Hi Mark!

Cooke, Mark wrote:
> F [at] l wrote:
> > But I thought that userX (who is not one of the authenticated
> > users) automatically gets anonymous-group permissions since
> > he is not added there at all. Though he can access the Trac
> > URL since Apache lets him in by SSPI Windows domain login control.
>
> I think we have the problem here in a misunderstanding: your user will get
> `authenticated` (as will all of your users if you `Require valid-user` in
> apache). `httpd` passes the user's ID through to Trac which then accepts
> your user as `authenticated` (by apache) and applies the permissions for
> that group.

Oops, I understand.

> What you want to do is rename your current `authenticated` ...
> ...snip...
> ... so the easiest route is probably to ...snip...

Thanks a lot for your help!!!

CU, F [at] l

----
Falk Brettschneider
R&D Software
Baumer Optronic GmbH
www.baumer.com



Gesch?ftsf?hrer: Marcel Seeber * Dr. Oliver Vietze
Sitz der Gesellschaft: Radeberg
Amtsgericht Dresden: HRB 15379
Ust. ID: DE 189714583


--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users [at] googlegroups
To unsubscribe from this group, send email to trac-users+unsubscribe [at] googlegroups
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en.

Trac users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.