Mercurial > p > roundup > code
annotate tools/fixroles.py @ 5257:928512faf565
- issue2550864: Potential information leakage via journal/history
Original code didn't fully implement the security checks.
Users with only Edit access on a property were not able to view the
journal entry for the property. This patch fixes that.
Also had additional info leakage: the target object of a link or
multilink must be viewable or editable in order for the journal entry
to be shown. Otherwise the existance of the target is exposed via the
journal while it is blocked from searches, direct access etc.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 27 Aug 2017 00:19:48 -0400 |
| parents | 52c8324d1539 |
| children |
| rev | line source |
|---|---|
|
1009
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1 import sys |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2 |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
3 from roundup import admin |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
4 |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
5 class AdminTool(admin.AdminTool): |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
6 def __init__(self): |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
7 self.commands = admin.CommandDict() |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
8 for k in AdminTool.__dict__.keys(): |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
9 if k[:3] == 'do_': |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
10 self.commands[k[3:]] = getattr(self, k) |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
11 self.help = {} |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
12 for k in AdminTool.__dict__.keys(): |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
13 if k[:5] == 'help_': |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
14 self.help[k[5:]] = getattr(self, k) |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
15 self.instance_home = '' |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
16 self.db = None |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
17 |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
18 def do_fixroles(self, args): |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
19 '''Usage: fixroles |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
20 Set the roles property for all users to reasonable defaults. |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
21 |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
22 The admin user gets "Admin", the anonymous user gets "Anonymous" |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
23 and all other users get "User". |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
24 ''' |
| 2410 | 25 # get the user class |
| 26 cl = self.get_class('user') | |
|
1009
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
27 for userid in cl.list(): |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
28 username = cl.get(userid, 'username') |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
29 if username == 'admin': |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
30 roles = 'Admin' |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
31 elif username == 'anonymous': |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
32 roles = 'Anonymous' |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
33 else: |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
34 roles = 'User' |
| 2410 | 35 cl.set(userid, roles=roles) |
|
1009
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
36 return 0 |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
37 |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
38 if __name__ == '__main__': |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
39 tool = AdminTool() |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
40 sys.exit(tool.main()) |