In the security sandbox I've made a couple of minor changes and would
like to make a few more.

What I've done so far, and why:

  - Added a trac.resource module
  - Moved trac.wiki.api.Context to trac.resource. I did this because
    I think the Context is more generalised, and some auxiliary
    interfaces/components are required which don't make sense being in
    trac.wiki.
  - Created a trac.resource.IResourceMapper interface for mapping
    between resources and contexts.
  - Added the trac.resource.ResourceSystem component for inspecting and
    converting resources.
  - Added a trac.perm.IPermissionPolicy interface for making security policy
    decisions, and converted PermissionSystem and PermissionCache to use this.
  - Added convenience classmethod Context.from_resource(env, req,
    resource) for creating a Context from a resource, such as a WikiPage
    object (actually anything that can be identified via IResourceMapper).

        page = WikiPage(env, 'WikiStart')
        context = Context.from_resource(env, req, page)

  - Added Context.object, which lazily fetches the actual object
    referred to by the Context (I'd like to rename this from "object"
    to "resource" - more info further down).
  - Added Context.perm which is a PermissionCache object (same as
    req.perm) but specific to the current context. eg.

        if 'WIKI_MODIFY' in context.perm:
            ...

    The context object is passed to template pages, where appropriate,
    and can be used to control access:

        <py:if test="'WIKI_ADMIN' in context.perm">
            ...
        <py:/if>

So far I've only converted the Wiki module, but it is working perfectly
so far.

Changes I would like to make:

  - Rename the "resource" member of Contact to "realm" [2]. "resource"
    currently refers to "wiki", "ticket", etc. I think it should refer
    to the actual object identified (eg. WikiPage(env, 'WikiStart')).
  - Merge into trunk.
  - Continue converting modules.

If amenable, I'd like to merge the branch into trunk as it is currently.

[1] http://trac.edgewall.org/wiki/PermissionPolicy
[2] http://trac.edgewall.org/browser/sandbox/security/trac/resource.py#L73

While I haven't actually tested the code, I'd love to see the security
branch be merged sooner, rather than later, as I am chomping at the bit
for the functionality.

If I get some time, I'll try to test out the branch.

Note that the Context is the kind of "resource descriptor" object I was
looking for to complement the resource itself.
In the original TracObject idea (or even its implementation in the xref
branch (1)), both the model part and the description part were mixed in
the same class (the "cheap" or "complete" TracObject distinction of r2278).

Now the Context is a way to address only the "description" part of the
resource, not bothering about its actual data model. I hope this
addresses the heavy reluctance that some had to make the resource itself
aware of the "req"uest object (at least jonas is OK with that). With
your proposed change, the context is now able to retrieve its
corresponding data model object (ctx.object for now, soon to be renamed
ctx.resource) and from the data model, it's possible to build a
descriptor for it (adding the req info), so that's very good.

Let me first continue by quoting the last part of your mail:

Now about the few modifications to what you've already done:

All that being said, great work so far, Alec!

-- Christian

I think the main difficulty will be the permissions. TICKET_APPEND is
required for tickets, while WIKI_MODIFY for wiki pages. I guess we can
maybe just assume that every other object requires
`'MODIFY' in context.perm`.

    class WikiPage(Resource):
        def __init__(self, env, name=None, version=None, db=None, req=None, abs_urls=False):
            Resource.__init__(self, env, req, 'wiki', name, abs_urls=abs_urls, db=db, resource=self)
            ...

        # Backwards compatibility "name" property
        def _get_name(self):
            return self.id

        def _set_name(self, name):
            """Backwards compatibility property for old WikiPage model."""
            self.id = name

        name = property(_get_name, _set-name)

or

    class Ticket(Resource):
        def __init__(self, env, tkt_id=None, db=None, req=None, abs_urls=None):
            Resource.__init__(self, env, req, 'ticket', tkt_id, db=db, req=req, abs_urls=abs_urls, resource=self)
            ...

Then you would be able to do lots of nice things:

    >>> page = WikiPage(env, 'WikiStart', req=req, abs_urls=True)
    >>> page.href
    'http://example.org/trac/wiki/WikiStart'
    >>> page.href('#Foo')
    'http://example.org/trac/wiki/WikiStart#Foo'
    >>> 'WIKI_ADMIN' in page.perm
    False

and of course:

    >>> page.wiki_to_html('Some [wiki:Wiki] text')
    ...

The main objection as I understood it was that it was bad design to make
the data model layer aware of the web layer (the req).

A second issue is that it is somewhat costly to build a data model object.
In my early attempt, I distinguished between a loaded/unloaded
TracObject, but it was somehow cumbersome to use right. I much prefer
the (upcoming) distinction between (1) a Context, which acts as a kind
of resource descriptor and also knows about the /context of use/ of that
resource (e.g. the ''parent'' context) and (2) a Resource, which is the
data model for that resource.

That way it's always clear what is what, and you can go easily from the
"cheap" resource descriptor to the actual  resource object, and back.

Now another strong point of the TracObject proposal was the possibility
to override some base methods. I think the Context is amenable to that
as well.
Take the example of a "title" method that could be used to fill title
attribute of a link to a given resource. That would be "<realm>:<id>" in
the general case. But for tickets, we'd like to have something like
"<ticket summary> (<status>[:<resolution if status=='closed'])". This of
course would require to get access to the data model.

This could be implemented like this:

class TicketContext(Context):

    def title(self):
        status = self.resource['status']
        if status == 'closed':
            status += ':' + self.resource['resolution']
        return "%s: (%s)" % (self.resource['summary'], status)

In the above, self.resource is accessed many times transparently.
As a context is able to "cache" its data model object, it's not a
problem, the access to the complete representation can be done
efficiently and "on demand".

That also means that for a given realm, we need a mechanism to create
the appropriate Resource subclass and the appropriate Context subclass.
In my previous mail, I said that for getting a context from a resource,
I wanted to use a Resource.get_context() method instead of going through
the ResourceSystem. But after experimenting a bit, it seems as easy to
use a helper function to achieve that, and this is less susceptible to
be hit by the "mixing of layers" argument!

So this results in the following:

class IResourceMapper(Interface):
    """Map between Trac resources and their contexts."""

    def get_resource_classes():
        """Generator yielding `(realm, resource_subclass)` pairs."""

    def get_context_classes():
        """Generator yielding `(realm, context_subclass)` pairs."""

class ResourceSystem(Component):
    resource_mappers = ExtensionPoint(IResourceMapper)

    def create_context(self, req, realm, *args, **kwargs):
        if not self._context_map:
            # build a dict of realm keys to Context subclasses values
        context_class = self._context_map.get(realm, Context)
        return context_class(self.env, req, realm, *args, **kwargs)

    def fetch_resource(self, context):
        if not self._resource_map:
            # build a dict of realm keys to Resource subclasses values
        resource_class = self._resource_map.get(realm)
        if resource_class:
            return resource_class(self.env, realm, context)
        # Note that passing a context object to the Resource constructor is arguable:
        # (+) constructor can fetch additional info if needed (e.g. version)
        # (-) Resource should never store references to the Context, to avoid
        #     circular refs. So ideally, Resources shouldn't know about Contexts

class Context(object):
    """Base class for resource descriptors."""
    ...
    # now, creating a sub-context (__call__) needs to be modified to use the
    # ResourceSystem as well, in order to be able to create instances of the
    # appropriate subclass

class Resource(object):
    """Base class for resources."""

    realm = 'unknown' # needs to be overridden

    # Note that an `.id` property needs to be set for the instances as well

And here's the helper function I was talking about:

def create_context(resource, req, *args, **kwargs):
    rs = ResourceSystem(resource.env)
    kwargs['resource'] = resource
    return rs.create_context(req, resource.realm, resource.id, *args, **kwargs)

Well, that's was too much coding in Thunderbird, let's do it for real ;)

So again, about the merge in trunk:
 - I'd like we sort out the above first
 - I'd like to merge my 3 other branches (blame and the 2 -tmp ones)
before ;)

One thing I'm not totally pleased with is the way you changed the
PermissionCache.
Is there any reason for not having a permission cache at the level of a
request?

So there could then be WIKI_ATTACH, TICKET_ATTACH, MILESTONE_ATTACH,
etc.

----------- Future rant -------------

Once the permissions are more uniform, we can begin removing the
reliance on having a permission for each action on each object and move
to a small set of permissions:

    VIEW
    CREATE
    DELETE
    MODIFY
    APPEND
    ATTACH
    GRANT (maybe? for allowing a user to grant other users non-ADMIN permissions)
    ADMIN (all of the above)

Here's a patch: http://swapoff.org/files/new-permissions.diff. This
converts the wiki module to the new permission system, but also adds a
LegacyPermission component for backwards compatibility, which simply
maps all the new style permissions with `realm.upper() + '_' perm`.

The only slight "wart" is that the module itself defines the
permissions, even of things like ATTACH which perhaps should be defined
in other modules, but perhaps not. I think this is difficult to avoid
though, because the attachment module and its parent are co-reliant.

Regards,

eg.

    wiki
    wiki//attachment
    ticket//attachment

    (or whatever syntax is decided on for separating contexts/realms)

That way a user can individually grant attachment permissions on
different parent objects. Actually, thinking about it, this will
alleviate the need for an ATTACH permission altogether, as "CREATE" in
the wiki:attachment security realm would provide this permission.

 * Use setuptools for setup (see [source:sandbox/setuptools])
 * ''Refactoring of the Mimeview API (see #3332,
[source:sandbox/mimeview])''
 * ''Flexible/extensible ticket workflow (see WorkFlow,
[source:sandbox/workflow])''
 * ''Refactoring of the Wiki Engine to use the Genshi builder API
(''experimental'', cboos)''

1. is really mandatory.
2. is not a big deal, I think
3. is a somewhat bigger deal, agreed
4. likewise, still not started. Not /that/ mandatory for 0.11 but would
be nice.

Besides those stated broad goals, there are lots of worthy tickets still
opened, not to mention those for 0.10.4 ...

Not to mention that thanks to the rework of the PermissionPolicy,
interesting things are happening in the resource/Context area, which is
a kind of "unlocker" for lots of long standing issues ...

Regards,

I wanted to be sure that the approach we were taking in that branch
could be extended to attachments, and this seems indeed to be the case.
It's also quite trivial to add security policies for things that are not
really Trac resources, as it's easy to create contexts for anything (see
e.g.[4599]).

So I think the original goals of the PermissionPolicy plan can be
fulfilled, except for the minimal impact on the API part ;) The current
API looks quite fine to me, and behaves quite well: for example, when
some attachments are protected, they can't be seen in the timeline, same
for private tickets (not showing up in searches, shown as missing when
written as TracLinks), etc.

Finally, the permission cache has been set back to the level of the
request, where it belongs (see r4601).

I think it's a good time to get some more feedback on the branch.

http://trac.edgewall.org/changeset?old_path=trunk&old=4610&new_path=s...

 - http://trac.edgewall.org/wiki/WikiContext, for the design of the
Context w.r.t. wiki processing. Basically, it's a way to keep all the
information needed to generate correct output in one place. One aspect
that I still want to refine are the various wiki_to_ methods, which
should be made more flexible. This improvement is related to the
mimeview refactoring and the wiki engine refactoring (parsing/formatting
split).

 - http://groups.google.com/group/trac-dev/msg/44ebc5156ec6e7bc, where I
try to explain the reticences against the TracObject ideas. I explain
how the use of Context as "resource descriptor" can overcome the
concerns about the separation of layers.  That way, the data model
objects don't need to know anything about the web front-end layer or the
presentation details.

Why is it possible to have a context instance not associated with any  
resource? Why can a context be associated with just a realm but no  
particular resourse? Or: shouldn't a context always be connected to a  
resource?

self_href() is an *awful* name. Even after reading the docstring for  
a couple of times, I still don't really get why it's there and what  
it does. Looking at the invocations, there's apparently only *one*  
place that actually passes an argument to it, and that's in  
formatter.py. I can see how you chose the name because the  
Context.href() slot is already occupied; but why do we need a  
"global" href object attached to the context?

Why is local_url() defined on the Context class? It's only used by  
formatter.py, so why not keep it there? It's just about how external  
links are rendered, it shouldn't concern anyone outside the formatter.

What's the reason for moving the DB connection handle from the  
formatter to the context?

Re: Context.__call__, is there really ever a need to *copy* a  
Context? I.e. why not just return `self`? Talking about __call__(), I  
think code creating sub-contexts isn't all that readable. Using a  
different, more explicit way to create a subcontext might be better.

And a more fundamental kind of question: is it really necessary that  
the Context knows the req (and abs_urls, by extension)? I.e. why must  
a Context be able to produce links? Couldn't we just have continued  
to pass the req to e.g. render_macro() in addition to the context? I  
feel like I'm missing a fundamental point here.

My general feeling is that the Context class has too much  
responsibility. When we talked about the design before you started  
working on it, *my* impression was that a wiki-context should  
encapsulate information about the resource to which the text-being-
wikified belongs. Your idea was obviously different: "A Wiki  
rendering context contains all the information needed for properly  
rendering Wiki text". That's a whole lot broader.

I'm not saying that the design is "wrong", but in general I prefer  
functions/classes that have clear focus and responsibility. Trying to  
grok the scope of the wiki-context changes today, I couldn't help but  
feel that it introduced a certain level of "spaghettification". So  
I'd like to understand more about *why* the design looks what it  
looks like.

Initially, the main point of the Wiki context was to be able to generate
proper Wiki content.
So there are actually two "levels" or notions of context:
 - the context to which the wiki source belongs. This was needed for
properly locating relative links.
 - the context of access to that text. This was needed to be able to
generate proper links.

Then, as things went on, the two sides proved equally useful, and saw
further uses. In the security branch, the "resource context" part
evolved so that there are now a few methods to let the resources
describe themselves (by the way of subclasses, when appropriate),  and
the "access context" part was improved to act as a proxy for permission
requests.
One could indeed think about splitting the two notions.

But let's first go through your questions.

Plus, a toplevel context is a convenient way to encapsulate the env, req
and db parameters that are scattered through the code.

  context = parentcontext('attachment')
  for filename in ...:
      ctx = context(id=filename)

Another situation is when you want to refer to some general context
which doesn't have clearly an "id" attached to it, for example:
ctxt('query'). The id _could_ be the query string itself, but right now
we don't really care. But the knowledge  that we're in a sub-context of
some 'query' can be useful (think about a TicketQuery with description,
called from within a ticket description...).

In a way, the Context is a kind of "normalization" of the
request, a way to /specify/ what resource is accessed and how it is
accessed.

The req part is even more fundamental in the security branch, as
depending on *who* accesses the wiki text, the rendering can be
completely different (restrictions ranging from no access at all, to
omitting a few "private" event from the timeline or search results, or
to make some ticket links look like "missing" ones and censuring their
summary).

The introduction of the Context as it stands now has already helped to
solve numerous issues, and its advanced use in the security branch feels
very natural. It has already offered an good deal of simplification of
the code and at the same time provided the fine grained permission
scheme we were looking for.

Well, at least those are a few open points about which I'm still thinking.

A few updates on the topic, as I really want to get through this.
I'm willing to make changes as needed, but for that, I first need to
better understand cmlenz concerns.

Now of course there could have been other approaches, with different
trade-offs (e.g. having RenderingContext  and ResourceDescriptor
classes). The point is that I don't think it's necessarily a good idea
to strive for an hypothetical "perfect" solution and the "ideal"
design... The current approach is already more powerful than what we had
before, and nothing prevents anyone to propose a better scheme *later*.

Of course, if deficiencies are clearly pointed out now, I'm willing to
address them, but please provide me with some concrete topics where I
can act upon.

Also, this is not (should not be) only a discussion between cmlenz and
me. Others opinions would be helpful.

what would happen if 0.11 gets released immediately and the branch
merges happen immediately afterwards?

-solo.

On 1/14/07, Christian Boos <cb...@neuf.fr> wrote: