Anonymous user can browse source without permission
41 views
Skip to first unread message
mjs
Sep 30, 2015, 4:48:05 PM9/30/15
to Trac Users
I have a Trac page and Subversion repository that I want to permit access to only for authenticated users. In the permission list, anonymous doesn't appear, so I presume it is supposed to have no permissions. Anonymous users can't access any Trac pages without logging in, but even for users not logged in, the Browse Source button appears on the "You are not logged in" page, and anonymous users can click the link and view the Subversion repo contents.
How can I block that access? I tried to 'permission remove anonymous BROWSER_VIEW' but anonymous doesn't have that permission.
I'm using the account_manager plugin and my Subversion access control files as the group_file, authz_file, and htpasswd_file. The permission_policies are AuthzSourcePolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy, and the permission_store is DefaultPermissionStore. Any other information I need to supply?
TIA.
Matthew Saltzman
Clemson University Math Sciences
How can I block that access? I tried to 'permission remove anonymous BROWSER_VIEW' but anonymous doesn't have that permission.
I'm using the account_manager plugin and my Subversion access control files as the group_file, authz_file, and htpasswd_file. The permission_policies are AuthzSourcePolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy, and the permission_store is DefaultPermissionStore. Any other information I need to supply?
TIA.
Matthew Saltzman
Clemson University Math Sciences
mjs
Sep 30, 2015, 5:04:25 PM9/30/15
to Trac Users
One other piece of information: In the authz_file, the repository has entry
[Repo:/]
* =
@groupname = rw
* =
@groupname = rw
Ryan Ollos
Sep 30, 2015, 5:24:38 PM9/30/15
to Trac Users
Could you try removing AuthzSourcePolicy from permission_policies? It would be good to isolate the issue to that permission policy.
What Trac version are you running?
mjs
Oct 1, 2015, 4:36:35 PM10/1/15
to Trac Users, ryan.j...@gmail.com
On Wednesday, September 30, 2015 at 5:24:38 PM UTC-4, RjOllos wrote:
Could you try removing AuthzSourcePolicy from permission_policies? It would be good to isolate the issue to that permission policy.
Removing AuthzSourcePolicy does remove the Browse Source button when not authenticated.
What Trac version are you running?
1.0.8
Ryan Ollos
Oct 1, 2015, 4:45:20 PM10/1/15
to mjs, Trac Users
On Thu, Oct 1, 2015 at 1:36 PM, mjs <m...@clemson.edu> wrote:
On Wednesday, September 30, 2015 at 5:24:38 PM UTC-4, RjOllos wrote:Could you try removing AuthzSourcePolicy from permission_policies? It would be good to isolate the issue to that permission policy.
Removing AuthzSourcePolicy does remove the Browse Source button when not authenticated.
I'm not able to reproduce with Trac 1.0.8.
Have you checked that anonymous is not a member of another permission group?
For example, I've revoked all permissions from anonymous. Then, when I add anonymous to the authenticated permission group, anonymous inherits all the permissions from that permission group.
(browser-test)~/Documents/Workspace/trac-dev/browser-test$trac-admin trac permission list anonymous
User Action
------------
Available actions:
BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW,
LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE,
MILESTONE_MODIFY, MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT,
PERMISSION_REVOKE, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE,
REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW,
SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_BATCH_MODIFY,
TICKET_CHGPROP, TICKET_CREATE, TICKET_EDIT_CC, TICKET_EDIT_COMMENT,
TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW, TIMELINE_VIEW,
TRAC_ADMIN, VERSIONCONTROL_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE,
WIKI_MODIFY, WIKI_RENAME, WIKI_VIEW
(browser-test)~/Documents/Workspace/trac-dev/browser-test$trac-admin trac permission add anonymous authenticated
(browser-test)~/Documents/Workspace/trac-dev/browser-test$trac-admin trac permission list anonymous
User Action
-------------------------
anonymous TICKET_APPEND
anonymous TICKET_CHGPROP
anonymous TICKET_CREATE
anonymous TICKET_MODIFY
anonymous WIKI_CREATE
anonymous WIKI_MODIFY
Available actions:
BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW,
LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE,
MILESTONE_MODIFY, MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT,
PERMISSION_REVOKE, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE,
REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW,
SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_BATCH_MODIFY,
TICKET_CHGPROP, TICKET_CREATE, TICKET_EDIT_CC, TICKET_EDIT_COMMENT,
TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW, TIMELINE_VIEW,
TRAC_ADMIN, VERSIONCONTROL_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE,
WIKI_MODIFY, WIKI_RENAME, WIKI_VIEW
mjs
Oct 1, 2015, 10:10:49 PM10/1/15
to Trac Users, m...@clemson.edu, ryan.j...@gmail.com
On Thursday, October 1, 2015 at 4:45:20 PM UTC-4, RjOllos wrote:
On Thu, Oct 1, 2015 at 1:36 PM, mjs <m...@clemson.edu> wrote:
On Wednesday, September 30, 2015 at 5:24:38 PM UTC-4, RjOllos wrote:Could you try removing AuthzSourcePolicy from permission_policies? It would be good to isolate the issue to that permission policy.
Removing AuthzSourcePolicy does remove the Browse Source button when not authenticated.I'm not able to reproduce with Trac 1.0.8.Have you checked that anonymous is not a member of another permission group?For example, I've revoked all permissions from anonymous. Then, when I add anonymous to the authenticated permission group, anonymous inherits all the permissions from that permission group.
> permission list anonymous
User Action
------------
Available actions:
User Action
------------
Available actions:
ACCTMGR_ADMIN, ACCTMGR_CONFIG_ADMIN, ACCTMGR_USER_ADMIN, BROWSER_VIEW,
CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW, LOG_VIEW,
MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY,
MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT, PERMISSION_REVOKE,
REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY,
REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW,
SPAM_ADMIN, SPAM_CHECKREPORTS, SPAM_CONFIG, SPAM_MONITOR, SPAM_REPORT,
SPAM_TRAIN, SPAM_USER, TICKET_ADMIN, TICKET_APPEND, TICKET_BATCH_MODIFY,
SPAM_TRAIN, SPAM_USER, TICKET_ADMIN, TICKET_APPEND, TICKET_BATCH_MODIFY,
TICKET_CHGPROP, TICKET_CREATE, TICKET_EDIT_CC, TICKET_EDIT_COMMENT,
TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW, TIMELINE_VIEW,
TRAC_ADMIN, USER_VIEW, VERSIONCONTROL_ADMIN, WIKI_ADMIN, WIKI_CREATE,
WIKI_DELETE, WIKI_MODIFY, WIKI_RENAME, WIKI_VIEW
WIKI_DELETE, WIKI_MODIFY, WIKI_RENAME, WIKI_VIEW
RjOllos
Oct 1, 2015, 10:41:26 PM10/1/15
to Trac Users, m...@clemson.edu, ryan.j...@gmail.com
On Thursday, October 1, 2015 at 7:10:49 PM UTC-7, mjs wrote:
On Thursday, October 1, 2015 at 4:45:20 PM UTC-4, RjOllos wrote:On Thu, Oct 1, 2015 at 1:36 PM, mjs <m...@clemson.edu> wrote:
On Wednesday, September 30, 2015 at 5:24:38 PM UTC-4, RjOllos wrote:Could you try removing AuthzSourcePolicy from permission_policies? It would be good to isolate the issue to that permission policy.
Removing AuthzSourcePolicy does remove the Browse Source button when not authenticated.I'm not able to reproduce with Trac 1.0.8.Have you checked that anonymous is not a member of another permission group?For example, I've revoked all permissions from anonymous. Then, when I add anonymous to the authenticated permission group, anonymous inherits all the permissions from that permission group.
Anonymous appears to have no permissions at all.
It might be useful to set the log level to debug and navigate to "Browse Source".
Are you able to view the contents of files in addition to the directory contents? Are you able to view a Revision Log and a Changeset?
Do you have any other plugins installed in addition to AccountManagerPlugin?
RjOllos
Oct 5, 2015, 7:34:51 PM10/5/15
to Trac Users, ryan.j...@gmail.com
On Thursday, October 1, 2015 at 1:36:35 PM UTC-7, mjs wrote:
On Wednesday, September 30, 2015 at 5:24:38 PM UTC-4, RjOllos wrote:Could you try removing AuthzSourcePolicy from permission_policies? It would be good to isolate the issue to that permission policy.
Removing AuthzSourcePolicy does remove the Browse Source button when not authenticated.
I must apologize that I was multi-tasking last week and completely misread this reply, reading it as "does not remove" rather than "does remove".
Going back to your authz_file, is "Repo" the actual repository name?
[Repo:/]
* =
@groupname = rw
* =
@groupname = rw
Could you try editing trac.ini to add?:
[trac]
authz_module_name = Repo
Assuming that solves your issue, the first thing I wonder is whether we have a way yet to support multiple repositories. The following comment may be relevant:
RjOllos
Apr 10, 2016, 8:37:32 PM4/10/16
to Trac Users, ryan.j...@gmail.com
On Monday, October 5, 2015 at 4:34:51 PM UTC-7, RjOllos wrote:
Assuming that solves your issue, the first thing I wonder is whether we have a way yet to support multiple repositories. The following comment may be relevant:
See also: https://trac.edgewall.org/ticket/12442
Reply all
Reply to author
Forward
0 new messages