| changeset | 984bc9f94ec6 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | chore: format schema.pys in templates so ruff is ok. Also makes comparing them easier. |
| files |
| changeset | c087ad45bf4d |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | update Anonymous Create user to Register user permissions the devel and responsive tracker templates still had the old Create user permissions for the anonymous user. Replace with the Regiter permission that has been the standard since 1.4.11 maybe. Also update references to Create permission in comment for the Email Access permission for anon user. |
| files |
| changeset | 94a7669677ae |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | add permissions to control user of rest and xmlrpc API interfaces. issue2551058: Add new permissions: 'Rest Access' and 'Xmlrpc Access' to allow per-user access control to rest and xmlrpc interfaces using roles. Updated all schemas to add these new perms to all authenticated roles. Error conditions in handle_xmlrpc were not working right in manual testing. I tried to make it a little better, but I don't actually understand how the fault xmlrpc object is supposed to be used. So I may have messed something up. I'll try to ping the people who wrote the xmlrpc code to have them review. |
| files |
| changeset | 1c90f15a177f |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2550831: Make the classic template query.edit page work. Forgot to update the classic schema.py with the Restore permissions for the query class for the User role. Also forgot to document same in upgrading.txt. |
| files |
| changeset | cf112b90fa8d |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2550855: added search perms for anonymous to the user class. This lets the "show unassigned" search work for anonymous. Patch by Stuart McGraw. Added warning to upgrading.txt and a comment block before the schema change in every template tracker except minimal (doesn't have the search). |
| files |
| changeset | a403c29ffaf9 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Security fix default user permissions Default user permissions should not include all user attributes. We now limit this to the username, realname and some further attributes depending on the schema. Note that we no longer include the email addresses, depending on your installation you may want to further restrict this or add some attributes like ``address`` and ``alternate_addresses``. |
| files |
| changeset | 261c9f913ff7 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net> |
| description | - Add explicit "Search" permissions, see Security Fix below. - Security Fix: Add a check for search-permissions: now we allow searching for properties only if the property is readable without a check method or if an explicit search permission (see above unter "Features) is given for the property. This fixes cases where a user doesn't have access to a property but can deduce the content by crafting a clever search, group or sort query. see doc/upgrading.txt for how to fix your trackers! |
| files |
| changeset | b30bdfae4461 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | Fix security hole allowing user permission escalation (thanks Ralf Schlatterbeck) also update docs and prepare for a release |
| files |
| changeset | 42331c201b02 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Stefan Seefeld <stefan@seefeld.name> |
| description | Fix issue2550553. |
| files |
| changeset | 34434785f308 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Richard Jones <richard@users.sourceforge.net> |
| description | Plug a number of security holes: - EditCSV and ExportCSV altered to include permission checks - HTTP POST required on actions which alter data - HTML file uploads served as application/octet-stream - New item action reject creation of new users - Item retirement was not being controlled Additionally include documentation of the changes and modify affected tests. |
| files |
| changeset | a6fdaaa3a8bd |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Stefan Seefeld <stefan@seefeld.name> |
| description | Move templates/ to share/roundup/templates/ |
| files |