1

After installing my Trac instance I removed the anonymous user since I don't want anonymous users to enter the system. However, when browsing to the Trac instance and failing to log in (authentication is handled by Apache using an htpasswd file), Trac will display an error page and display in the top right corner the Login and Preferences links. Clicking the Preferences link will bring an not authenticated user to the Preference page where changes can me made (like time-zone amongst other things).

I can remove the Preferences link from the menu by by setting it to disabled in the [metanav] section of trac.ini:

[metanav]
prefs = disabled

However, even tough the link ins't there anymore visually, anyone can still navigate to it by adding /prefs to the URL. How do I affectingly remove the Preferences link for not authenticated users in Trac?

Luke
  • 3,756
  • 7
  • 35
  • 39

3 Answers3

2

The preferences only affect the current user session, so an anonymous user can set their own preferences, but won't affect any other users (even other anonymous users). What is the concern with having that available?

retracile
  • 1,260
  • 7
  • 10
1

You may want to use ApacheAuth for Trac (possibly against AD, LDAP, or just .htpasswd): that way only authenticated users get to see the page in the first place.

Also you wouldnt have to worry about the Trac logon process being secure (spam etc).

Posipiet
  • 644
  • 5
  • 4
  • +1 would have been my suggestion. – David Pashley Jun 07 '09 at 07:18
  • I do have Apache authentication set up. When you log in with a none valid username/password, Trac will show an error page with the Preferences link in the top right corner. Meaning, anyone can change the preferences. – Luke Jun 07 '09 at 08:48
  • How does Apache accept a not valid username / password? Do you have "require valid-user" in the Virtualhost / Location / Directory settings? Sorry - the actual scripts are at work, and I am at home. – Posipiet Jun 07 '09 at 10:11
  • Yes. "require valid-user" is set in the . – Luke Jun 07 '09 at 10:35
0

trac-admin /opt/trac/$setup_name permission remove anonymous '*'

This should take away all permissions for anonymous users.

UPDATE: Apparently that did not have the desired outcome for Luke.

SUGGESTION 2: What if you re-add anonymous and then lock it down? #1 comment mentioned that the preference page being public isnt that big of a deal. Would that work for you Luke?

KPWINC
  • 11,274
  • 3
  • 36
  • 44
  • Yes I know that. But if you read my question (instead of just looking at the title) then you might understand the issue I'm dealing with. – Luke Jun 07 '09 at 06:33