How to use AuthzPolicy
The authzpolicy.conf file is a .ini style configuration file.
- Each section of the config is a glob pattern used to match against a Trac
resource descriptor. These descriptors are in the form:
<realm>:<id>@<version>[/<realm>:<id>@<version> ...]
Resources are ordered left to right, from parent to child.
If any component is inapplicable, * is substituted.
If the version pattern is not specified explicitely, all versions (@*) is added implicitly
e.g. the WikiStart page will be matched by:[wiki:*] [wiki:WikiStart*] [wiki:WikiStart@*] [wiki:WikiStart]
e.g. An attachment on WikiStart:wiki:WikiStart@117/attachment/FOO.JPG@*
any of the following sections would match it:[wiki:*] [wiki:WikiStart*] [wiki:WikiStart@*] [wiki:WikiStart@*/attachment/*] [wiki:WikiStart@117/attachment/FOO.JPG]
- Sections are checked against the current Trac resource IN ORDER of appearance in the configuration file. ORDER IS CRITICAL.
- Once a section matches, the current username is matched, IN ORDER, against the keys of the section. If a key is prefixed with a @, it is treated as a group. If a key is prefixed with a !, the permission is denied rather than granted. The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules.
Example configuration:
[groups] administrators = athomas [*/attachment:*] * = WIKI_VIEW, TICKET_VIEW [wiki:WikiStart@*] @administrators = WIKI_ADMIN anonymous = WIKI_VIEW * = WIKI_VIEW # Deny access to page templates [wiki:PageTemplates/*] * = # Match everything else [*] @administrators = TRAC_ADMIN anonymous = BROWSER_VIEW, CHANGESET_VIEW, FILE_VIEW, LOG_VIEW, MILESTONE_VIEW, POLL_VIEW, REPORT_SQL_VIEW, REPORT_VIEW, ROADMAP_VIEW, SEARCH_VIEW, TICKET_CREATE, TICKET_MODIFY, TICKET_VIEW, TIMELINE_VIEW, WIKI_CREATE, WIKI_MODIFY, WIKI_VIEW # Give authenticated users some extra permissions authenticated = REPO_SEARCH, XML_RPC
