Mercurial > p > roundup > code
annotate tools/fixroles.py @ 5726:e199d0ae4a25
issue2551033: prevent reverse engineering hidden data by using etags
as an oracle to identify when the right data has been
guessed. Identified by Joseph Myers who also suggested remediation
methods. Implemented John Rouillard.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 23 May 2019 18:56:57 -0400 |
| parents | 52c8324d1539 |
| children |
| rev | line source |
|---|---|
|
1009
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
1 import sys |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
2 |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
3 from roundup import admin |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
4 |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
5 class AdminTool(admin.AdminTool): |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
6 def __init__(self): |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
7 self.commands = admin.CommandDict() |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
8 for k in AdminTool.__dict__.keys(): |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
9 if k[:3] == 'do_': |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
10 self.commands[k[3:]] = getattr(self, k) |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
11 self.help = {} |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
12 for k in AdminTool.__dict__.keys(): |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
13 if k[:5] == 'help_': |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
14 self.help[k[5:]] = getattr(self, k) |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
15 self.instance_home = '' |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
16 self.db = None |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
17 |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
18 def do_fixroles(self, args): |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
19 '''Usage: fixroles |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
20 Set the roles property for all users to reasonable defaults. |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
21 |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
22 The admin user gets "Admin", the anonymous user gets "Anonymous" |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
23 and all other users get "User". |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
24 ''' |
| 2410 | 25 # get the user class |
| 26 cl = self.get_class('user') | |
|
1009
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
27 for userid in cl.list(): |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
28 username = cl.get(userid, 'username') |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
29 if username == 'admin': |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
30 roles = 'Admin' |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
31 elif username == 'anonymous': |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
32 roles = 'Anonymous' |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
33 else: |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
34 roles = 'User' |
| 2410 | 35 cl.set(userid, roles=roles) |
|
1009
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
36 return 0 |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
37 |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
38 if __name__ == '__main__': |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
39 tool = AdminTool() |
|
fc55426544b5
more upgrading docco and a tool to fix roles
Richard Jones <richard@users.sourceforge.net>
parents:
diff
changeset
|
40 sys.exit(tool.main()) |