Mercurial Repository: p/roundup/code: doc/customizing.txt comparison

comparison doc/customizing.txt @ 6466:258385cad27e

Add search perm and update default perms Search permission was not documented. Add that. Doc of schema permissions had diverged from classic template. Update from current classic template.

author	John Rouillard <rouilj@ieee.org>
date	Wed, 11 Aug 2021 12:45:04 -0400
parents	2bd60def4fed
children	60532cafc62a

comparison

equal deleted inserted replaced

-:bed1313898d4
+:258385cad27e
 A set of Permissions is built into the security module by default:
 - Create (everything)
 - Edit (everything)
+- Search (everything) (used if View does not permit access)
 - View (everything)
 - Register (User class only)
 These are assigned to the "Admin" Role by default, and allow a user to do
 anything. Every Class you define in your `tracker schema`_ also gets an
 `directions in the rest interface documentation`_ and the
 `xmlrpc interface documentation`_.
 These are hooked into the default Roles:
-- Admin (Create, Edit, View and everything; Web Roles)
+- Admin (Create, Edit, Search, View and everything; Web Roles)
 - User (Web Access; Email Access)
 - Anonymous (Web Access)
 And finally, the "admin" user gets the "Admin" Role, and the "anonymous"
 user gets "Anonymous" assigned when the tracker is installed.
 db.security.addPermissionToRole('User', 'Rest Access')
 db.security.addPermissionToRole('User', 'Xmlrpc Access')
 # Assign the access and edit Permissions for issue, file and message
 # to regular users now
-for cl in 'issue', 'file', 'msg', 'query', 'keyword':
+for cl in 'issue', 'file', 'msg', 'keyword':
 db.security.addPermissionToRole('User', 'View', cl)
 db.security.addPermissionToRole('User', 'Edit', cl)
 db.security.addPermissionToRole('User', 'Create', cl)
 for cl in 'priority', 'status':
 db.security.addPermissionToRole('User', 'View', cl)
 # May users view other user information? Comment these lines out
 # if you don't want them to
-db.security.addPermissionToRole('User', 'View', 'user')
+p = db.security.addPermission(name='View', klass='user',
+	properties=('id', 'organisation', 'phone', 'realname', 'timezone',
-# Users should be able to edit their own details -- this permission
+	'username'))
-# is limited to only the situation where the Viewed or Edited item
+db.security.addPermissionToRole('User', p)
-# is their own.
+# Users should be able to edit their own details -- this permission is
+# limited to only the situation where the Viewed or Edited item is their own.
 def own_record(db, userid, itemid, **ctx):
 '''Determine whether the userid matches the item being accessed.'''
 return userid == itemid
 p = db.security.addPermission(name='View', klass='user', check=own_record,
 description="User is allowed to view their own user details")
 db.security.addPermissionToRole('User', p)
 p = db.security.addPermission(name='Edit', klass='user', check=own_record,
+properties=('username', 'password', 'address', 'realname', 'phone',
+'organisation', 'alternate_addresses', 'queries', 'timezone'),
 description="User is allowed to edit their own user details")
+db.security.addPermissionToRole('User', p)
+# Users should be able to edit and view their own queries. They should also
+# be able to view any marked as not private. They should not be able to
+# edit others' queries, even if they're not private
+def view_query(db, userid, itemid):
+	private_for = db.query.get(itemid, 'private_for')
+	if not private_for: return True
+	return userid == private_for
+def edit_query(db, userid, itemid):
+	return userid == db.query.get(itemid, 'creator')
+p = db.security.addPermission(name='View', klass='query', check=view_query,
+	description="User is allowed to view their own and public queries")
+db.security.addPermissionToRole('User', p)
+p = db.security.addPermission(name='Search', klass='query')
+db.security.addPermissionToRole('User', p)
+p = db.security.addPermission(name='Edit', klass='query', check=edit_query,
+	description="User is allowed to edit their queries")
+db.security.addPermissionToRole('User', p)
+p = db.security.addPermission(name='Retire', klass='query', check=edit_query,
+	description="User is allowed to retire their queries")
+db.security.addPermissionToRole('User', p)
+p = db.security.addPermission(name='Restore', klass='query', check=edit_query,
+	description="User is allowed to restore their queries")
+db.security.addPermissionToRole('User', p)
+p = db.security.addPermission(name='Create', klass='query',
+	description="User is allowed to create queries")
 db.security.addPermissionToRole('User', p)
 #
 # ANONYMOUS USER PERMISSIONS
 #
 #db.security.addPermissionToRole('Anonymous', 'Email Access')
 # Assign the appropriate permissions to the anonymous user's Anonymous
 # Role. Choices here are:
 # - Allow anonymous users to register
-db.security.addPermissionToRole('Anonymous', 'Create', 'user')
+db.security.addPermissionToRole('Anonymous', 'Register', 'user')
 # Allow anonymous users access to view issues (and the related, linked
 # information)
 for cl in 'issue', 'file', 'msg', 'keyword', 'priority', 'status':
 db.security.addPermissionToRole('Anonymous', 'View', cl)
+# Allow the anonymous user to use the "Show Unassigned" search.
+# It acts like "Show Open" if this permission is not available.
+# If you are running a tracker that does not allow read access for
+# anonymous, you should remove this entry as it can be used to perform
+# a username guessing attack against a roundup install.
+p = db.security.addPermission(name='Search', klass='user')
+db.security.addPermissionToRole ('Anonymous', p)
 # [OPTIONAL]
 # Allow anonymous users access to create or edit "issue" items (and the
 # related file and message items)
 #for cl in 'issue', 'file', 'msg':

Mercurial > p > roundup > code

comparison doc/customizing.txt @ 6466:258385cad27e