Anonymous user can browse source without permission

41 views
Skip to first unread message

mjs

unread,
Sep 30, 2015, 4:48:05 PM9/30/15
to Trac Users
I have a Trac page and Subversion repository that I want to permit access to only for authenticated users. In the permission list, anonymous doesn't appear, so I presume it is supposed to have no permissions. Anonymous users can't access any Trac pages without logging in, but even for users not logged in, the Browse Source button appears on the "You are not logged in" page, and anonymous users can click the link and view the Subversion repo contents.

How can I block that access?  I tried to 'permission remove anonymous BROWSER_VIEW' but anonymous doesn't have that permission.

I'm using the account_manager plugin and my Subversion access control files as the group_file, authz_file, and htpasswd_file. The permission_policies are AuthzSourcePolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy, and the permission_store is DefaultPermissionStore. Any other information I need to supply?

TIA.

Matthew Saltzman
Clemson University Math Sciences


mjs

unread,
Sep 30, 2015, 5:04:25 PM9/30/15
to Trac Users
One other piece of information: In the authz_file, the repository has entry

[Repo:/]
* =
@groupname = rw

Ryan Ollos

unread,
Sep 30, 2015, 5:24:38 PM9/30/15
to Trac Users
Could you try removing AuthzSourcePolicy from permission_policies? It would be good to isolate the issue to that permission policy.

What Trac version are you running? 

mjs

unread,
Oct 1, 2015, 4:36:35 PM10/1/15
to Trac Users, ryan.j...@gmail.com


On Wednesday, September 30, 2015 at 5:24:38 PM UTC-4, RjOllos wrote:

Could you try removing AuthzSourcePolicy from permission_policies? It would be good to isolate the issue to that permission policy.

Removing AuthzSourcePolicy does remove the Browse Source button when not authenticated.
 

What Trac version are you running? 

 1.0.8


Ryan Ollos

unread,
Oct 1, 2015, 4:45:20 PM10/1/15
to mjs, Trac Users
On Thu, Oct 1, 2015 at 1:36 PM, mjs <m...@clemson.edu> wrote:


On Wednesday, September 30, 2015 at 5:24:38 PM UTC-4, RjOllos wrote:

Could you try removing AuthzSourcePolicy from permission_policies? It would be good to isolate the issue to that permission policy.

Removing AuthzSourcePolicy does remove the Browse Source button when not authenticated.

I'm not able to reproduce with Trac 1.0.8.

Have you checked that anonymous is not a member of another permission group?

For example, I've revoked all permissions from anonymous. Then, when I add anonymous to the authenticated permission group, anonymous inherits all the permissions from that permission group.

(browser-test)~/Documents/Workspace/trac-dev/browser-test$trac-admin trac permission list anonymous

User  Action
------------


Available actions:
 BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW,
 LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE,
 MILESTONE_MODIFY, MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT,
 PERMISSION_REVOKE, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE,
 REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW,
 SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_BATCH_MODIFY,
 TICKET_CHGPROP, TICKET_CREATE, TICKET_EDIT_CC, TICKET_EDIT_COMMENT,
 TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW, TIMELINE_VIEW,
 TRAC_ADMIN, VERSIONCONTROL_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE,
 WIKI_MODIFY, WIKI_RENAME, WIKI_VIEW

(browser-test)~/Documents/Workspace/trac-dev/browser-test$trac-admin trac permission add anonymous authenticated
(browser-test)~/Documents/Workspace/trac-dev/browser-test$trac-admin trac permission list anonymous

User       Action        
-------------------------
anonymous  TICKET_APPEND 
anonymous  TICKET_CHGPROP
anonymous  TICKET_CREATE 
anonymous  TICKET_MODIFY 
anonymous  WIKI_CREATE   
anonymous  WIKI_MODIFY   


Available actions:
 BROWSER_VIEW, CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW,
 LOG_VIEW, MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE,
 MILESTONE_MODIFY, MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT,
 PERMISSION_REVOKE, REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE,
 REPORT_MODIFY, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW,
 SEARCH_VIEW, TICKET_ADMIN, TICKET_APPEND, TICKET_BATCH_MODIFY,
 TICKET_CHGPROP, TICKET_CREATE, TICKET_EDIT_CC, TICKET_EDIT_COMMENT,
 TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW, TIMELINE_VIEW,
 TRAC_ADMIN, VERSIONCONTROL_ADMIN, WIKI_ADMIN, WIKI_CREATE, WIKI_DELETE,
 WIKI_MODIFY, WIKI_RENAME, WIKI_VIEW 

mjs

unread,
Oct 1, 2015, 10:10:49 PM10/1/15
to Trac Users, m...@clemson.edu, ryan.j...@gmail.com


On Thursday, October 1, 2015 at 4:45:20 PM UTC-4, RjOllos wrote:
On Thu, Oct 1, 2015 at 1:36 PM, mjs <m...@clemson.edu> wrote:


On Wednesday, September 30, 2015 at 5:24:38 PM UTC-4, RjOllos wrote:

Could you try removing AuthzSourcePolicy from permission_policies? It would be good to isolate the issue to that permission policy.

Removing AuthzSourcePolicy does remove the Browse Source button when not authenticated.

I'm not able to reproduce with Trac 1.0.8.

Have you checked that anonymous is not a member of another permission group?

For example, I've revoked all permissions from anonymous. Then, when I add anonymous to the authenticated permission group, anonymous inherits all the permissions from that permission group.


Anonymous appears to have no permissions at all.

> permission list anonymous

User  Action
------------


Available actions:
 ACCTMGR_ADMIN, ACCTMGR_CONFIG_ADMIN, ACCTMGR_USER_ADMIN, BROWSER_VIEW,

 CHANGESET_VIEW, CONFIG_VIEW, EMAIL_VIEW, FILE_VIEW, LOG_VIEW,
 MILESTONE_ADMIN, MILESTONE_CREATE, MILESTONE_DELETE, MILESTONE_MODIFY,
 MILESTONE_VIEW, PERMISSION_ADMIN, PERMISSION_GRANT, PERMISSION_REVOKE,
 REPORT_ADMIN, REPORT_CREATE, REPORT_DELETE, REPORT_MODIFY,
 REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_ADMIN, ROADMAP_VIEW, SEARCH_VIEW,
 SPAM_ADMIN, SPAM_CHECKREPORTS, SPAM_CONFIG, SPAM_MONITOR, SPAM_REPORT,
 SPAM_TRAIN, SPAM_USER, TICKET_ADMIN, TICKET_APPEND, TICKET_BATCH_MODIFY,

 TICKET_CHGPROP, TICKET_CREATE, TICKET_EDIT_CC, TICKET_EDIT_COMMENT,
 TICKET_EDIT_DESCRIPTION, TICKET_MODIFY, TICKET_VIEW, TIMELINE_VIEW,
 TRAC_ADMIN, USER_VIEW, VERSIONCONTROL_ADMIN, WIKI_ADMIN, WIKI_CREATE,
 WIKI_DELETE, WIKI_MODIFY, WIKI_RENAME, WIKI_VIEW




RjOllos

unread,
Oct 1, 2015, 10:41:26 PM10/1/15
to Trac Users, m...@clemson.edu, ryan.j...@gmail.com


On Thursday, October 1, 2015 at 7:10:49 PM UTC-7, mjs wrote:


On Thursday, October 1, 2015 at 4:45:20 PM UTC-4, RjOllos wrote:
On Thu, Oct 1, 2015 at 1:36 PM, mjs <m...@clemson.edu> wrote:


On Wednesday, September 30, 2015 at 5:24:38 PM UTC-4, RjOllos wrote:

Could you try removing AuthzSourcePolicy from permission_policies? It would be good to isolate the issue to that permission policy.

Removing AuthzSourcePolicy does remove the Browse Source button when not authenticated.

I'm not able to reproduce with Trac 1.0.8.

Have you checked that anonymous is not a member of another permission group?

For example, I've revoked all permissions from anonymous. Then, when I add anonymous to the authenticated permission group, anonymous inherits all the permissions from that permission group.


Anonymous appears to have no permissions at all.

It might be useful to set the log level to debug and navigate to "Browse Source".

Are you able to view the contents of files in addition to the directory contents? Are you able to view a Revision Log and a Changeset?

Do you have any other plugins installed in addition to AccountManagerPlugin?

RjOllos

unread,
Oct 5, 2015, 7:34:51 PM10/5/15
to Trac Users, ryan.j...@gmail.com


On Thursday, October 1, 2015 at 1:36:35 PM UTC-7, mjs wrote:


On Wednesday, September 30, 2015 at 5:24:38 PM UTC-4, RjOllos wrote:

Could you try removing AuthzSourcePolicy from permission_policies? It would be good to isolate the issue to that permission policy.

Removing AuthzSourcePolicy does remove the Browse Source button when not authenticated.

I must apologize that I was multi-tasking last week and completely misread this reply, reading it as "does not remove" rather than "does remove".

Going back to your authz_file, is "Repo" the actual repository name?

[Repo:/]
* =
@groupname = rw

Could you try editing trac.ini to add?:

[trac]
authz_module_name = Repo

Assuming that solves your issue, the first thing I wonder is whether we have a way yet to support multiple repositories. The following comment may be relevant:

RjOllos

unread,
Apr 10, 2016, 8:37:32 PM4/10/16
to Trac Users, ryan.j...@gmail.com


On Monday, October 5, 2015 at 4:34:51 PM UTC-7, RjOllos wrote:
Assuming that solves your issue, the first thing I wonder is whether we have a way yet to support multiple repositories. The following comment may be relevant:

Reply all
Reply to author
Forward
0 new messages