Trac FineGrainedPermissions for repository - sample code

gistfile1.py

from trac.core import *
from trac.perm import IPermissionPolicy

class MultiRepoPermissionSystem(Component):
    implements(IPermissionPolicy)

    # Helper methods                                                                                                                                                             

    def parent_repository(self, resource):
        while True:
            if resource is None:
                return None
            if resource.realm == 'repository':
                return resource
            resource = resource.parent

    # IPermissionPolicy methods                                                                                                                                                  

    def check_permission(self, action, username, resource, perm):
        ## This policy only covers entities that live within a repository                                                                                                        
        ## so we'll decline to state any permission if it's not a repository subresource                                                                                         
        repository = self.parent_repository(resource)
        if repository is None:
            return None

        ## Example policy implementation follows

        ## Allow any user to do anything on a repository that has the same name as the user
        if repository.id == username:
            return True
        ## Don't let any user view any changesets!
        if action == "CHANGESET_VIEW":
           return False
        ## Otherwise, defer to the rest of the permission policies
        return None