making trac read-only

17 views
Skip to first unread message

Dima Pasechnik

unread,
Jan 27, 2023, 12:20:47 PM1/27/23
to Trac Users
Hello,
our no longer really maintained, but actively used, trac installation
https://trac.sagemath.org/ is in the process of migrating to another platform.
However, we'd like to keep it up in a read-only form.
It's running Trac 1.2 - yes, severe shortage of hands to maintain it

I'm looking for an advice on how to achieve this with minimal intervention,
hopefully easily reversible (if migration process will need to be  rescheduled
we'd like to resume using trac for a while).
Ideally, I'd like to do so just by modifying trac.ini

Dmitrii

Ryan Ollos

unread,
Jan 27, 2023, 12:38:31 PM1/27/23
to trac-...@googlegroups.com
Read-only can be achieved by revoking permissions. For the most part, just leave _VIEW permissions for standard users. You can set up permissions groups and continue to allow other users to have write access if you'd like, such as admins.

The permissions are stored in the database. You may want to screen-capture your current permissions and groups before making any changes, so you can return to it later if needed.

Let us know if you need any additional pointers.

Ryan

RjOllos

unread,
Jan 27, 2023, 12:39:00 PM1/27/23
to Trac Users
Read-only can be achieved by revoking permissions. For the most part, just leave _VIEW permissions for standard users. You can set up permissions groups and continue to allow other users to have write access, such as admins, if you'd like.

Dima Pasechnik

unread,
Jan 27, 2023, 2:55:17 PM1/27/23
to trac-...@googlegroups.com, sage-devel
On Fri, Jan 27, 2023 at 5:39 PM RjOllos <rjo...@gmail.com> wrote:
>
> On Friday, January 27, 2023 at 9:20:47 AM UTC-8 dim...@gmail.com wrote:
> our no longer really maintained, but actively used, trac installation
> https://trac.sagemath.org/ is in the process of migrating to another platform.
> However, we'd like to keep it up in a read-only form.
> It's running Trac 1.2 - yes, severe shortage of hands to maintain it
>
> I'm looking for an advice on how to achieve this with minimal intervention,
> hopefully easily reversible (if migration process will need to be rescheduled
> we'd like to resume using trac for a while).
> Ideally, I'd like to do so just by modifying trac.ini
>
> Read-only can be achieved by revoking permissions. For the most part, just leave _VIEW permissions for standard users. You can set up permissions groups and continue to allow other users to have write access, such as admins, if you'd like.
> https://trac.edgewall.org/wiki/TracPermissions

unfortunately it's got rather misconfigured at some point:

--------------------------------------------------------------------------
$ sudo trac-admin /srv/trac/sage_trac permission list
Error: Failed to clone gitolite-admin repository: Cloning into
'/srv/trac/sage_trac/gitolite-admin'...
fatal: 'gitolite-admin' does not appear to be a git repository
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
----------------------------------------------------------------------------
or even

$ sudo trac-admin /srv/trac/sage_trac
Welcome to trac-admin 1.2
Interactive Trac administration console.
Copyright (C) 2003-2013 Edgewall Software

Type: '?' or 'help' for help on commands.

Trac [/srv/trac/sage_trac]> help
trac-admin - The Trac Administration Console 1.2
TracError: Failed to clone gitolite-admin repository: Cloning into
'/srv/trac/sage_trac/gitolite-admin'...
fatal: 'gitolite-admin' does not appear to be a git repository
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Trac [/srv/trac/sage_trac]>

---------------------------------------------------

I have no idea why trac-admin wants to clone (!) this repo - and I
don't understand where it even gets
" gitolite-admin" (we do have a repository on the host, with this
name, containing ssh keys of users).
Is it a hack hardcoded somewhere? Or it's somehow parsing the directory tree?

I think what we're running a standard Trac package on Ubuntu 18.04:
https://packages.ubuntu.com/source/bionic/trac
(that was an update of some older hand-installed version in /usr/local)

>
> The permissions are stored in the database. You may want to screen-capture your current permissions and groups before making any changes, so you can return to it later if needed.

Well, as I can't use trac-admin (and there is no web admin interface
on on my account, not sure whether without
a working trac-admin it's possible to bring it up) my current plan is to

1) disable tracext.github.githubloginmodule in trac.ini (we allow
GitHub-authenticated users access to tickets and git tree)
2) point htdigest_file in trac.ini to a file without any actual passwords

I suppose 1)+2) should make tickets effectively read-only.
To make git tree read-only, one apparently still needs to disable ssh
authentication,
and I can't think of anything less intrusive than

3) removing all the ssh keys uploaded and stored
in the said gitolite-admin git repo (I can push there, and it appears
to effect changes)


>
> Let us know if you need any additional pointers.

In trac.ini there is a section

[sage_trac]
cgit_host = git.sagemath.org
cgit_repository = sage.git
github_url = https://github.com/sagemath/sagetrac-mirror
....

which seems to describe the local confg (all these values make perfect sense)
- bit I can't seem to find any docs on this.

And if you could tell me how this "git clone" thing can be avoided, so
that trac-admin becomes usable...


Dima

>
> Ryan
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Trac Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/trac-users/C_ZFXu39jN4/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to trac-users+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/trac-users/f7ca7db0-c6af-489a-8816-c0c8e8715e9cn%40googlegroups.com.

Dima Pasechnik

unread,
Jan 27, 2023, 7:07:23 PM1/27/23
to trac-...@googlegroups.com, sage-devel
OK, the problem with trac-admin was due to our own old plugin,
https://github.com/sagemath/sage_trac_plugin,
which caused weirdness when run under root. Under a correct user, it went OK.
Hopefully the rest is manageable.
Sorry for noise,

Dmitrii
Reply all
Reply to author
Forward
0 new messages