I'm using "MyPage" plugin for Trac.
I have figured out it is useful to store SSH keys on my private page as an attachment, so I can clone my GIT repository from any computer. Then I have our found that any user who can view a History tab, can see the content of the attachment :/
Any idea how to secure this thing?
Since in general this is meant as a feature, you'd like to just block one or several specific attachments from common view.
If this is true, TracFineGrainedPermissions is for you. Then you'll be able to have something like
[wiki:Users/KilldaclickHome@*/attachment/supersecret.file]
killdaclick = ATTACHMENT_VIEW
* = !ATTACHMENT_VIEW
to just deny access to the specific file to anyone but yourself. Have a look at the FineGrainedPageAuthzEditorPlugin for a alternative way to define these permission (from the web-UI instead of direct access to the authz file).
You'll certainly think twice about granting permission 'TRAC_ADMIN' - just a hint that these user can edit the file and possibly circumvent any restriction. But 'TRAC_ADMIN' will have 'ATTACHMENT_VIEW' anyway.
