Forbidden error after Trac instance logoff | Trac 1.6

[Venu Pillai]

After upgrading from trac 1.2 to trac 1.6.

I successfully login to trac and have permission to create, view tickets etc. to an authorized user.

But after logging off the Trac instance it gives error "Forbidden error 403 " ROADMAP_VIEW or Wiki view,  ..privileges are required to perform this operation. You don't have the required permissions." 

I have configured the Trac instance to authenticate against the Active Directory (Its works).

Below is the configuration

In Trac.ini

[account-manager]

allow_delete_account = enabled

auth_init = enabled

environ_auth_overwrite = disabled

force_passwd_change = enabled

login_opt_list = disabled

password_store = LDAPStore

persistent_sessions = disabled

refresh_passwd = disabled

require_approval = disabled

reset_password = enabled

verify_email = enabled

force_login = true

Permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy

[authz_policy]

authz_file = authzpolicy.conf

 [components]

acct_mgr.admin.accountmanageradminpage = enabled

acct_mgr.admin.accountmanageradminpages = enabled

acct_mgr.admin.useradminpanel = enabled

acct_mgr.api.accountmanager = enabled

acct_mgr.db.sessionstore = enabled

acct_mgr.htfile.htdigeststore = enabled

acct_mgr.htfile.htpasswdstore = enabled

acct_mgr.http.httpauthstore = enabled

acct_mgr.notification.accountchangenotificationadminpanel = enabled

acct_mgr.pwhash.htdigesthashmethod = enabled

acct_mgr.pwhash.htpasswdhashmethod = enabled

acct_mgr.svnserve.svnservepasswordstore = enabled

acct_mgr.web_ui.accountmodule = enabled

acct_mgr.web_ui.emailverificationmodule = disabled

acct_mgr.web_ui.loginmodule = enabled

acct_mgr.web_ui.registrationmodule = disabled

acct_mgr_pwhash.htdigesthashmethod = enabled

advancedworkflow.controller.ticketworkflowopfieldauthor = enabled

advancedworkflow.controller.ticketworkflowopfieldsclear = enabled

advancedworkflow.controller.ticketworkflowopownercomponent = enabled

advancedworkflow.controller.ticketworkflowopownerfield = enabled

advancedworkflow.controller.ticketworkflowopownerprevious = enabled

advancedworkflow.controller.ticketworkflowopownerreporter = enabled

advancedworkflow.controller.ticketworkflowopresetmilestone = enabled

advancedworkflow.controller.ticketworkflowoprunexternal = enabled

advancedworkflow.controller.ticketworkflowopstatusprevious = enabled

advancedworkflow.controller.ticketworkflowoptriage = enabled

advancedworkflow.controller.ticketworkflowopxref = enabled

autocompleteusers.* = enable

autocompleteusers.autocompleteusers.autocompleteusers = enabled

customfieldadmin.* = enabled

dynfields.rules.clearrule = enabled

dynfields.rules.copyrule = enabled

dynfields.rules.defaultrule = enabled

dynfields.rules.hiderule = enabled

dynfields.rules.setrule = enabled

dynfields.rules.validaterule = enabled

dynfields.web_ui.dynamicfieldsmodule = enabled

httpauth.* = enabled

iniadmin.iniadmin.iniadminplugin = enabled

inieditorpanel.default_manager.inieditorbasicsecuritymanager = enabled

inieditorpanel.default_manager.inieditoremptysecuritymanager = enabled

inieditorpanel.web_ui.traciniadminpanel = enabled

ldapauth.* = enabled

ldapauth.store.* = enabled

ldapauthstore.ldap_store.ldapstore = enabled

ldapplugin.* = enable

multipleworkflow.web_ui.multipleworkflowadminmodule = enabled

multipleworkflow.workflow.multipleworkflowplugin = enabled

permredirect.* = enabled

trac.web.auth.loginmodule = disabled

tracemoticons.emoticonssupport = enabled

tracexceldownload.api.exceldownloadconfig = enabled

tracexceldownload.ticket.excelreportmodule = enabled

tracexceldownload.ticket.excelticketmodule = enabled

tracexceldownload.translation.translationmodule = enabled

tracopt.perm.authz_policy.* = enabled

tracopt.perm.config_perm_provider.extrapermissionsprovider = enabled

tractweakui.web_ui.tractweakuimodule = enabled

tracusermanager.account.admin_um.accountusermanagerpanel = enabled

tracusermanager.admin.usermanagementadminpage = enabled

tracusermanager.api.sessionuserstore = enabled

tracusermanager.api.usermanager = enabled

tracusermanager.permissions.admin_um.permissionusermanagerpanel = enabled

tracusermanager.profile.admin.userprofilefieldsadminpage = enabled

tracusermanager.profile.admin_um.userprofileusermanagerpanel = enabled

tracusermanager.profile.prefs.userprofilemodule = enabled

webadmin.logging.loggingadminpage = enabled

webadmin.perm.permissionadminpage = enabled

webadmin.plugin.pluginadminpage = enabled

webadmin.ticket.componentadminpage = enabled

webadmin.ticket.milestoneadminpage = enabled

webadmin.ticket.priorityadminpage = enabled

webadmin.ticket.severityadminpage = enabled

webadmin.ticket.tickettypeadminpage = enabled

webadmin.ticket.versionadminpage = enabled

webadmin.web_ui.adminmodule = enabled

webhook_notification. * = enabled

workfloweditor.workfloweditor_admin.workflowchangehandler = enabled

workfloweditor.workfloweditor_admin.workfloweditoradmin = enabled

-------------------------------------------------------------------------------------------------

Below is the content of authzpolicy.conf

directors= XXXXX

admins=XXXXX

admin_names=XXXXX

users=

[*]

@admins = TRAC_ADMIN

@directors=TRAC_ADMIN

@managers=TRAC_ADMIN

@users = MILESTONE_VIEW, SEARCH_VIEW, TICKET_APPEND, TICKET_CREATE, TICKET_EDIT_COMMENT, TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW, REPORT_VIEW, SEARCH_VIEW, WIKI_VIEW

@noaccess=

*=

----------------------------------------------------------------------------------------------------

Pip list

Trac                          1.6

TracAccountManager            0.6.1.dev0

TracAjaxComments              0.2

TracLDAPAuth                  1.2.2

TracWikiCssPlugin             0.3.1

TracWikiPrint                 4.0.0.dev0

TracWorkflowAdmin             0.12.0.7

TracXMLRPC                    1.2.0.dev0

LdapAuthStorePlugin           0.4.0.dev0

LdapPlugin                    0.7.0.dev0

Jinja2                        3.1.6

wheel                         0.41.2

Genshi                        0.7.10

python-ldap                   3.4.4

AccountLDAP                   0.32

------------
When i sucessfull login to Trac instance below is the logs
tail -n 0 -f /trac/XXXX/log/trac.log
2026-02-24 12:01:21,112 Trac[workflow] WARNING: Ticket workflow action 'var_accepted' doesn't define any transitions
2026-02-24 12:01:21,116 Trac[api] WARNING: Duplicate field name "priority" (ignoring)
2026-02-24 12:01:27,874 Trac[svn_authz] ERROR: The [svn] authz_file configuration option in trac.ini is empty or not defined
2026-02-24 12:01:27,876 Trac[env] WARNING: Component <Component trac.versioncontrol.web_ui.changeset.ChangesetModule> failed with ConfigurationError: Look in the Trac log for more information.

When i logoff the trac instance below is logs Attached is screen image
tail -n 0 -f /trac/xxxxx/log/trac.log
2026-02-24 12:03:26,890 Trac[main] WARNING: HTTPForbidden: 403 Forbidden (WIKI_VIEW privileges are required to perform this operation on WikiStart. You don't have the required permissions.), <RequestWithSession "GET '/wiki'">, referrer 'https://XXXXX.XXXX.XX/xxxxx/wiki'

Please help me to resolve the above error.

[Jun Omae]

On Tue, Feb 24, 2026 at 3:49 PM Venu Pillai <vpill...@gmail.com> wrote:
>
> After upgrading from trac 1.2 to trac 1.6.
>
> I successfully login to trac and have permission to create, view tickets etc. to an authorized user.
>
> But after logging off the Trac instance it gives error "Forbidden error 403 " ROADMAP_VIEW or Wiki view, ..privileges are required to perform this operation. You don't have the required permissions."
>
> I have configured the Trac instance to authenticate against the Active Directory (Its works).
>
> Below is the configuration
>
> In Trac.ini
>
> [account-manager]

> ...

> Permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy

The permission_policies option should be put in [trac] section.
See https://trac.edgewall.org/wiki/TracIni#trac-permission_policies-option

--
Jun Omae <jun...@gmail.com> (大前 潤)

[Venu Pillai]

Added the permission_policies as per    https://trac.edgewall.org/wiki/TracIni#trac-permission_policies-option.

Still same issue after logging off the trac instance it gives error "Forbidden error 403 " ROADMAP_VIEW or Wiki view, ..privileges are required to perform this operation. You don't have the required permissions."

[Chris Shelton]

Venu,

Did you try adjusting the permission_policies entry in trac.ini to be like this:

permission_policies = AuthzSourcePolicy,DefaultWikiPolicy,DefaultTicketPolicy,DefaultPermissionPolicy,LegacyAttachmentPolicy

When I upgraded to Trac 1.6, the upgrade mentioned adding both DefaultWikiPolicy and DefaultTicketPolicy to this entry.

Chris

--
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/trac-users/7be2394e-1fde-464f-acad-15756ca249fbn%40googlegroups.com.

[Venu Pillai]

Hi chris,

Added the permission_policies = AuthzSourcePolicy,DefaultWikiPolicy,DefaultTicketPolicy,DefaultPermissionPolicy,LegacyAttachmentPolicy in Trac.ini

Restarted the service.

Still the same issue. I can successfully login to trac instance create ticket, view ticket etc. After logout it should go back to login page? but here after logoff it give forbidden error depend upon that last I h
I have attached the error. 

[Jun Omae]

> Added the permission_policies = AuthzSourcePolicy,DefaultWikiPolicy,DefaultTicketPolicy,DefaultPermissionPolicy,LegacyAttachmentPolicy in Trac.ini

AuthzPolicy should be added.
See https://trac.edgewall.org/intertrac/source:/branches/1.6-stable/tracopt/perm/authz_policy.py

If not fixed yet, please share entire of your trac.ini and trac.log
after enabling logging with DEBUG level and reproducing it.

On Wed, Feb 25, 2026 at 2:46 PM Venu Pillai <vpill...@gmail.com> wrote:
>
> Hi chris,
> Added the permission_policies = AuthzSourcePolicy,DefaultWikiPolicy,DefaultTicketPolicy,DefaultPermissionPolicy,LegacyAttachmentPolicy in Trac.ini
> Restarted the service.
> Still the same issue. I can successfully login to trac instance create ticket, view ticket etc. After logout it should go back to login page? but here after logoff it give forbidden error depend upon that last I h
> I have attached the error.

[Venu Pillai]

Copied the .py file in below path

#ls /usr/local/lib/python3.12/site-packages/tracopt/perm

authz_policy.py  authz_policy.py.old  config_perm_provider.py  __init__.py  __pycache__

 

Restarted the service

 

Same issue.

I am attaching the Trac.ini and debug file

[Venu Pillai]

Additionally, to my previous mail.
One observation:

The home /First page shows Error: forbidden

When click on login. I type my AD credentials its works. No errors.

When i logout, it reverts back to home page and shows Error: Forbidden

[Jun Omae]

On Wed, Feb 25, 2026 at 7:28 PM Venu Pillai <vpill...@gmail.com> wrote:
>
> Copied the .py file in below path
>
> #ls /usr/local/lib/python3.12/site-packages/tracopt/perm
>
> authz_policy.py authz_policy.py.old config_perm_provider.py __init__.py __pycache__

No. Add AuthzPolicy to [trac] permission_policies option in your trac.ini.

--- trac.ini.orig 2026-02-26 02:32:37.714671800 +0900
+++ trac.ini 2026-02-26 02:33:20.442061500 +0900
@@ -320,7 +320,7 @@
mysqldump_path = mysqldump
never_obfuscate_mailto = disabled
#permission_policies =
DefaultPermissionPolicy,LegacyAttachmentPolicy,AuthzSourcePolicy
-permission_policies = AuthzSourcePolicy, DefaultPermissionPolicy,
LegacyAttachmentPolicy
+permission_policies =
AuthzPolicy,AuthzSourcePolicy,DefaultWikiPolicy,DefaultTicketPolicy,DefaultPermissionPolicy,LegacyAttachmentPolicy
pg_dump_path = pg_dump
resizable_textareas = enabled
secure_cookies = disabled

> Restarted the service
>
>
>
> Same issue.
>
> I am attaching the Trac.ini and debug file
>
>
> On Wednesday, 25 February 2026 at 13:07:46 UTC+5:30 Jun Omae wrote:
>>
>> > Added the permission_policies = AuthzSourcePolicy,DefaultWikiPolicy,DefaultTicketPolicy,DefaultPermissionPolicy,LegacyAttachmentPolicy in Trac.ini
>>
>> AuthzPolicy should be added.
>> See https://trac.edgewall.org/intertrac/source:/branches/1.6-stable/tracopt/perm/authz_policy.py
>>
>> If not fixed yet, please share entire of your trac.ini and trac.log
>> after enabling logging with DEBUG level and reproducing it.
>>
>> On Wed, Feb 25, 2026 at 2:46 PM Venu Pillai <vpill...@gmail.com> wrote:
>> >
>> > Hi chris,
>> > Added the permission_policies = AuthzSourcePolicy,DefaultWikiPolicy,DefaultTicketPolicy,DefaultPermissionPolicy,LegacyAttachmentPolicy in Trac.ini
>> > Restarted the service.
>> > Still the same issue. I can successfully login to trac instance create ticket, view ticket etc. After logout it should go back to login page? but here after logoff it give forbidden error depend upon that last I h
>> > I have attached the error.
>>
>>
>> --
>> Jun Omae <jun...@gmail.com> (大前 潤)
>

> --
> You received this message because you are subscribed to the Google Groups "Trac Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to trac-users+...@googlegroups.com.

> To view this discussion visit https://groups.google.com/d/msgid/trac-users/04c3efe9-c305-46e2-82f3-dbb9a3bbe17cn%40googlegroups.com.

[Venu Pillai]

Added the entry in trac.ini

+permission_policies = AuthzPolicy, DefaultWikiPolicy, DefaultTicketPolicy, DefaultPermissionPolicy, DefaultPermissionPolicy,LegacyAttachmentPolicy

Restarted the service

Still the same issue.

 If a user doesn't have permission to see the home page (WIKI_VIEW...), Trac will send a "Permission Denied" page and ask to log in. (Which is in my case) .

How to redirect the home page to Login page?

Below are the logs captured when I enter the URL to access the trac instance home page example "https://xxxx.xxx.xx/rgxxx 

 

tail -f trac.log
2026-02-26 12:55:07,075 Trac[perm] DEBUG: AuthzPolicy denies anonymous performing TICKET_ADMIN on <Resource 'admin:ticket/type'>
2026-02-26 12:55:07,076 Trac[authz_policy] DEBUG: Checking REPORT_VIEW on report:-1@*
2026-02-26 12:55:07,076 Trac[authz_policy] DEBUG: report:-1@* matched section *@* for user anonymous
2026-02-26 12:55:07,076 Trac[perm] DEBUG: AuthzPolicy denies anonymous performing REPORT_VIEW on <Resource 'report:-1'>
2026-02-26 12:55:07,076 Trac[authz_policy] DEBUG: Checking TIMELINE_VIEW on timeline:*@*
2026-02-26 12:55:07,076 Trac[authz_policy] DEBUG: timeline:*@* matched section *@* for user anonymous
2026-02-26 12:55:07,076 Trac[perm] DEBUG: AuthzPolicy denies anonymous performing TIMELINE_VIEW on <Resource 'timeline'>
2026-02-26 12:55:07,076 Trac[authz_policy] DEBUG: Checking WIKI_VIEW on wiki:TracGuide@*
2026-02-26 12:55:07,076 Trac[authz_policy] DEBUG: wiki:TracGuide@* matched section *@* for user anonymous
2026-02-26 12:55:07,076 Trac[perm] DEBUG: AuthzPolicy denies anonymous performing WIKI_VIEW on <Resource 'wiki:TracGuide'>

[Jun Omae]

On Thu, Feb 26, 2026 at 5:15 PM Venu Pillai <vpill...@gmail.com> wrote:
> If a user doesn't have permission to see the home page (WIKI_VIEW...), Trac will send a "Permission Denied" page and ask to log in. (Which is in my case) .
> How to redirect the home page to Login page?

If you're using login form of AccountManagerPlugin to authenticate a
user, try to use https://trac-hacks.org/wiki/PermRedirectPlugin.

Trac doesn't redirect to /login page in the case because Trac intends
that /login page is configured to require HTTP authentication.

[Venu Pillai]

Thanks, it worked 

I need to install permRedirectPlugin.