Trac is configured with multiple subversion repositories
http://trac.company.com/trac/browser/
REPO1 REPO2 REPO3
Currently staff access this as anonymous. I am adding a new repository UTILITIES that I don't want anonymous users to be able to see.
This is where AuthzPolicy comes in, but I am really struggling to get it working.
In trac.ini I have
[trac]
...
permission_policies = AuthzPolicy,
ReadonlyWikiPolicy,
DefaultPermissionPolicy,
LegacyAttachmentPolicy
[components]
...
tracopt.perm.authz_policy.* = enabled
[authz_policy]
authz_file = /var/trac/conf/authzpolicy.conf
But I am unable to figure out what I need to add in authzpolicy.conf to block BROWSER_VIEW from anonymous. I have tried (various combinations of):
[*]
* = !BROWSER_VIEW
anonymous = !BROWSER_VIEW
[repository:*]
* = !BROWSER_VIEW
anonymous = !BROWSER_VIEW
[repository:UTILITIES*]
* = !BROWSER_VIEW
anonymous = !BROWSER_VIEW
Nothing I seem to add in there, blocks an anonymous user from browsing any repositories. The relevant bits from debug log don't really shed any light either:
2019-09-19 12:33:19,518 Trac[authz_policy] DEBUG: Parsing authz security policy /var/trac/conf/authzpolicy.conf
2019-09-19 12:33:19,519 Trac[authz_policy] DEBUG: Checking BROWSER_VIEW on repository:UTILITIES@*/source:/@68
2019-09-19 12:33:19,521 Trac[authz_policy] DEBUG: Checking BROWSER_VIEW on repository:UTILITIES@*/source:/tags@68
2019-09-19 12:33:19,523 Trac[authz_policy] DEBUG: Checking BROWSER_VIEW on repository:UTILITIES@*/source:/branches@68
2019-09-19 12:33:19,524 Trac[authz_policy] DEBUG: Checking BROWSER_VIEW on repository:UTILITIES@*/source:/trunk@68
...
2019-09-19 12:33:19,628 Trac[authz_policy] DEBUG: Checking CHANGESET_VIEW on repository:UTILITIES@*/changeset:1@*
2019-09-19 12:33:19,636 Trac[authz_policy] DEBUG: Checking CHANGESET_VIEW on repository:UTILITIES@*/changeset:68@*
If I remove BROWSER_VIEW from anonymous in the DefaultPermissionPolicy then nothing can browse repositories, even when I put the following in authzpolicy.conf.
[*]
* = *
The main issue turned out to be permissions on /var/trac/conf/authzpolicy.conf I needed to give the web server read access
$ chgrp apache /var/trac/conf/authzpolicy.conf
$ chmod 640 /var/trac/conf/authzpolicy.conf
Once that issue was resolved I started to see different behaviour based on permissions configured, and finally came up with the following for what I needed
[repository:UTILITIES@*]
john = BROWSER_VIEW
* = !BROWSER_VIEW
[repository:*@*]
john = !BROWSER_VIEW
* = BROWSER_VIEW
John can see UTILITIES but not the other repositories, and anonymous can see all repositories except UTILITIES.
I realise that John can log out and see the other repositories. The main aim was to prevent anonymous users seeing the UTILITIES repository.