Retrieve a list of all users in Trac - trac

Is there a way to get all users of the current Trac environment via Python? Similar to model.Priority.select(self.env) which returns a list of all priorities. Maybe there is a method of the Trac Account Manager?

Environment.get_known_users() will give you a list of all known users that have logged in. Inside a class inheriting from Component you can use self.env.get_known_users().

Related

How to create a hierarchy in Cumulocity?

I have a question regarding Cumulocity. I want to create a site hierarchy in Cumulocity, we can go up to sub-tenant level only but I want to create a hierarchy up to 2 level.
Let's take an example of schools, its locations, and different branches. Here I want to attach an owner with each branch and that owner should be able to register only their own users and devices. I was trying to achieve it using groups, roles etc but was not able to do it. If anyone can suggest how to proceed for this use case.
I can see two possible options using which this can be tried:
Groups
Custom Apps (Angular apps)
But I am not sure how to proceed as there is no direct UI for the user to group assignment and REST API for this assignment is giving me errors.
You can use the inventory permissions for configuring access rights that are limited to a certain group see documentation
The managing of only your own users can be achieved by giving a user the global permission for USER_MANAGEMENT_CREATE. Make sure to revoke the ADMIN and READ role as well.
I would not recommend to solve this with apps on the UI side. That way you can of course hide information from the user but he may still be access it via API. Only with the RBAC you can really ensure on API level that the access is managed correctly.

Permission linking between LDAP users groups and Django permissions (custom if possible)

Hello again every one,
I have a question: I successfully implemented django-auth-ldap, the LDAP users can request successfully my DRF API. But nows, for my projetc needs, I have to define permissions depending of the group.
Indeed, I will have like 12 groups in my app. Depending of the group, I will authorize or not the user to request a given route, BUT even if I defined the global var AUTH_LDAP_MIRROR_GROUPS = True, and saw in my database the are linked to a group (see capture):
Users in database
Groups from LDAP inserted in db thx to django-auth_ldap settings
User linked to the groups defined
But now, I have some other problems: I do not know how to implement permissions depending of the group the user belong. In fact, if a user belong to the group ServerAdministrator, I want to allow him to access to every route accessible, but I dont know where to see this in the received request in my view?
As I understood, I should implement custom permissions I should write programmatically in a User object (which should inherit from django AbstractUser)
If yes, How does it work? Should I empty my whole Database and then let django-auth-ldap insert users and it also will create the given permissions defined inside the database?
Maybe it is not clear, do not hesitate to ask questions if I can be more precise.
Kind regards.
Benjamin

Grant a JIRA user read-only access to user-browser

I need to create a Jira user/role for our support team to be able to login to JIRA and see what groups a user belongs to. They don't need to be able to edit or change anything, this should be read only, and ideally they would only access the user-browser. Jira 3.13.2 with Oracle DB.
Seeing who is in a group in JIRA is only allowed for members of jira-administrators. JIRA recommends using JIRA project roles rather than groups because they can be seen in more places and modified by project administrators.
If you really need this then I'd pursue custom development to change which groups are show for a user in their profile. It looks like the original three jira-* groups are shown to everyone but not groups that were added.

AuthzPolicy permissions for specific tickets in trac

I'm using the AuthzPolicy-plugin to manage the permissions in a trac-env. Now I like to set a permission that disallow all users except for the admins to view tickets with a specific status.
I try a lot such as the following entry in the authzpolicy.conf:
[ticket:*/status:new]
#administrators = TICKET_VIEW
* =
Does the AuthzPolicy-plugin provides permission-setting for tickets with a specific status, owner or something else?
mutetella
Trac's permissions system is focused on the component level. You can turn on or off access to an entire component, but not to sub-content inside of that component.
That being said, you can create a plugin that emulates a more fine-grained permissions system. The plugin would need to implement IRequestFilter and inspect the URL of pages when they load. It would extract the ticket number from the URL, look up the ticket details in the database, and determine if the current user should view that page. If the user doesn't have permission, the plugin would re-direct the request to an error page. This is not too incredibly difficult to do (I've done it before to guard a specific wiki page), but it's hard to maintain because it's a separate permissions mechanism that's completely independent of Trac's permissions system.
TracFineGrainedPermissions can use any property represented in the resource path.
Revisions do, so you'll find an example explained as "John has BROWSER_VIEW and FILE_VIEW access to only revision 1 of 'somefile' at trunk/src/some/location only"
So the direct answer to your question is No, you can't do the same depending on ticket status, because all tickets look the same from the resource URL regardless of their status, sorry.
I agree, that you can resort to implementing a custom policy as already outlined by bta as a last resort.

Symfony2: How to find the users that have permissions for a certain domain object?

In our application based on Symfony2 we would like to create a list of which of the users in the system that has permissions for a given domain object. We are using ACL and our immediate instinct was to look in the ACL-object returned from the ACLProvider of the domain object in question, for methods that could return the users (or at least SecurityIdentities) that has permissions, but I could not find such methods.
We are certain that this functionality is available through the API, but we cannot find where these methods are hidden.
EDIT An alternative would be to look up these connections in the acl-tables directly and finding out that way, but it would not be very pretty and we would probably be reinventing the wheel.
By default, the Authorization are specified in the file app/config/security.yml. It describe if a Role is allowed or not to access some modules.
There are some differences between Authorization and Permissions.
Permission are not managed by default by Symfony but through specific development (or bundles...)