Search code examples
trac

How do I use trac AuthzPolicy to restrict access to repository browser?

Trac is configured with multiple subversion repositories

http://trac.company.com/trac/browser/

REPO1 REPO2 REPO3

Currently staff access this as anonymous. I am adding a new repository UTILITIES that I don't want anonymous users to be able to see.

This is where AuthzPolicy comes in, but I am really struggling to get it working.

In trac.ini I have

[trac]
...
permission_policies = AuthzPolicy,
  ReadonlyWikiPolicy,
  DefaultPermissionPolicy,
  LegacyAttachmentPolicy

[components]
...
tracopt.perm.authz_policy.* = enabled


[authz_policy]
authz_file = /var/trac/conf/authzpolicy.conf

But I am unable to figure out what I need to add in authzpolicy.conf to block BROWSER_VIEW from anonymous. I have tried (various combinations of):

[*]
* = !BROWSER_VIEW
anonymous = !BROWSER_VIEW

[repository:*]
* = !BROWSER_VIEW
anonymous = !BROWSER_VIEW

[repository:UTILITIES*]
* = !BROWSER_VIEW
anonymous = !BROWSER_VIEW

Nothing I seem to add in there, blocks an anonymous user from browsing any repositories. The relevant bits from debug log don't really shed any light either:

2019-09-19 12:33:19,518 Trac[authz_policy] DEBUG: Parsing authz security policy /var/trac/conf/authzpolicy.conf
2019-09-19 12:33:19,519 Trac[authz_policy] DEBUG: Checking BROWSER_VIEW on repository:UTILITIES@*/source:/@68
2019-09-19 12:33:19,521 Trac[authz_policy] DEBUG: Checking BROWSER_VIEW on repository:UTILITIES@*/source:/tags@68
2019-09-19 12:33:19,523 Trac[authz_policy] DEBUG: Checking BROWSER_VIEW on repository:UTILITIES@*/source:/branches@68
2019-09-19 12:33:19,524 Trac[authz_policy] DEBUG: Checking BROWSER_VIEW on repository:UTILITIES@*/source:/trunk@68
...
2019-09-19 12:33:19,628 Trac[authz_policy] DEBUG: Checking CHANGESET_VIEW on repository:UTILITIES@*/changeset:1@*
2019-09-19 12:33:19,636 Trac[authz_policy] DEBUG: Checking CHANGESET_VIEW on repository:UTILITIES@*/changeset:68@*

If I remove BROWSER_VIEW from anonymous in the DefaultPermissionPolicy then nothing can browse repositories, even when I put the following in authzpolicy.conf.

[*]
* = *
Solution

  • The main issue turned out to be permissions on /var/trac/conf/authzpolicy.conf I needed to give the web server read access

    $ chgrp apache /var/trac/conf/authzpolicy.conf
$ chmod 640 /var/trac/conf/authzpolicy.conf

    Once that issue was resolved I started to see different behaviour based on permissions configured, and finally came up with the following for what I needed

    [repository:UTILITIES@*]
john = BROWSER_VIEW
* = !BROWSER_VIEW

[repository:*@*]
john = !BROWSER_VIEW
* = BROWSER_VIEW

    John can see UTILITIES but not the other repositories, and anonymous can see all repositories except UTILITIES.

    I realise that John can log out and see the other repositories. The main aim was to prevent anonymous users seeing the UTILITIES repository.