[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [Trac] How to permit only logged in users to make changes in trac Jani Tiainen Sat Sep 09 10:36:18 2006

Rainer Sokoll kirjoitti:
On Wed, Aug 30, 2006 at 12:38:21PM +0300, Jani Tiainen wrote:

This is apache's task (assumed you use apache).
For instance, I use mod_auth_ldap for authentication and have a "require
valid-user" in the appropriate location container in httpd.conf.
Actually it isn't directly resposibility of task of external authentication (like apache). (Depending on case)

What here needs to be done is revoke modify/add rights from "anonymous" user in Trac (by using tracadmin). Then anonymous is still able to browse but not change (I'm using this kind of an approach in our company server, anyone can browse, but only logged in can change)

Yes, but the term "anonymous" is a little bit confusing. With me
(apache forces everyone to authenticate), "anonymous" means "default".
If a user is autheticated for example as jtiainen, and there are no
special rights defined for jtiainen within trac, then he will granted
the permissions for anonymous - even he is jtiainen. In fact, I have no
anonymous users.

Autheticated users (logged in) will get permissions from "authenticated" virtual group, which is inherits "anonymous" (not logged in) permissions.

So my setup contains read-only rights for "anonymous" user, so you can browse wiki, tickets and source without logging in.

When anyone logs in he/she gest special permissions to manage wiki and tickets.

Then there is even further detailed permissions for Trac admins.

So in your case you have always "authenticated" users, but since you don't need special rights for them, you have adjusted "anonymous" user rights since all logged in users will inherit them....

More in-depth explanation about permissions can be found at: <http://trac.edgewall.org/wiki/TracPermissions>


Jani Tiainen
Trac mailing list