hzforge ships three Trac plugins under plugins/. Each is a single source tree
built into a py2.py3-none-any universal wheel (one artifact runs on both the
Python 2.7 Trac 1.0.x stack today and the Python 3.6 Trac 1.6 stack post-migration)
and installed system-wide, so a single install in site-packages serves every Trac
env on the host via [trac.plugins] entry-point discovery.
| Plugin | Package | Version | Role |
|---|---|---|---|
plugins/mysqlauthz |
hubzero-trac-mysqlauthz |
2.4.5 | Authorization — IPermissionStore + IPermissionGroupProvider against the HUBzero CMS MySQL DB |
plugins/cmsauth |
hubzero-trac-cmsauth |
1.0.6 | Authentication — single sign-on against the HUBzero CMS (subclass of trac.web.auth.LoginModule) |
plugins/macros |
hubzero-trac-macros |
0.1.1 | Two wiki macros ([[image]], [[link]]) used by forge tool wikis |
Reads users, groups, and per-project Trac permissions from the CMS MySQL DB
(jos_users, jos_xgroups, jos_xgroups_members, jos_trac_*_permission,
jos_trac_project, …). Connection params come from /etc/hubzero.conf +
configuration.php. Forked from upstream 2.2.5; the 2.2.5→2.4.x jump is real
behavior change (parameterized SQL, a connection-management rewrite, the
2011-broken get_permission_groups query fix).
Operational knob: [hubzero] fail_closed (default false). When true, a CMS
DB exception or unresolved project_id raises TracError (HTTP 500) instead of
silently degrading to an empty permission set — useful where you'd rather a page
fail loudly than quietly hide admin functions during a DB outage. Either way, an
operator-visible [!] HUBzero DB unreachable banner appears in the metanav for
logged-in users after a recent DB error and auto-clears on the next clean query.
Replaces Apache LDAP-Basic auth at /tools/<env>/login with HUBzero CMS SSO via
the /api/v1.1/members/currentuser endpoint. A single Component,
HubzeroSSOLoginModule, thinly subclasses trac.web.auth.LoginModule and reuses
all of Trac's own auth_cookie/trac_auth machinery; it overrides only the hooks
that need to know about HUBzero. Enable per env in trac.ini:
[components]
hubzero_cmsauth.* = enabled
trac.web.auth.LoginModule = disabledhzforge enable-cmsauth <env> does this and carves the env out of the LDAP
<LocationMatch> in one step. Notable options (all under [hubzero_cmsauth]):
| Option | Default | Meaning |
|---|---|---|
api_path |
/api/v1.1/members/currentuser |
CMS endpoint returning the current user's profile |
verify_tls |
true |
validate the CMS API cert; set false only for self-signed dev hubs |
recheck_interval_seconds |
0 (off) |
when positive, periodically re-validate the session against the CMS and invalidate trac_auth on a CMS-side rename/deactivation |
One CMS API call per browser session (login only) — subsequent requests use Trac's
local trac_auth fast path.
[[image <name>]] and [[link <path> <text>]], env-agnostic (URLs built from
self.env.abs_href()). Replaces the legacy per-env plugins/image.py /
link.py copies; hzforge upgrade-trac enables the system-wide plugin and
disables the per-env files. 0.1.1 fixed a stored XSS carried over from
upstream — both macros now HTML-escape all wiki-author-controlled input before
emitting markup.
cd plugins/<name>
make test-all # pytest on Py3.6 AND Py2.7 (no tox; see the plugin README)
python3 -m build --wheel # -> dist/<name>-<ver>-py2.py3-none-any.whlInstall with umask 022 (root's default 0077 makes site-packages
unreadable to the apache user, breaking Trac under mod_wsgi) and --no-deps
(the wheels deliberately omit Trac from install_requires so a routine
reinstall can't upgrade the host's Trac out from under the running daemons):
sudo sh -c 'umask 022 && pip2 install --no-deps --upgrade dist/<wheel>'
sudo sh -c 'umask 022 && pip3 install --no-deps --upgrade dist/<wheel>'For a same-version reinstall, pip uninstall first — pip 9 (the Py2 default)
skips --force-reinstall of an already-installed version. After installing,
recycle the mod_wsgi daemon (touch /opt/trac/wsgi/hubtrac.wsgi, or
systemctl reload httpd).
All three plugins + the installer went through a full adversarial review. Fixes
shipped: the cmsauth open-redirect (/\evil.com backslash bypass) and the macros
stored XSS were the two criticals; mysqlauthz was confirmed free of SQL injection
and authorization-scoping bugs (its SQL is fully parameterized, including the
dynamic IN() clause, and every read is scoped by trac_project_id). The current
versions above include every fix.