Mercurial Repository: p/roundup/code: website/issues/schema.py comparison

comparison website/issues/schema.py @ 4902:a403c29ffaf9

Security fix default user permissions Default user permissions should not include all user attributes. We now limit this to the username, realname and some further attributes depending on the schema. Note that we no longer include the email addresses, depending on your installation you may want to further restrict this or add some attributes like ``address`` and ``alternate_addresses``.

author	Ralf Schlatterbeck <rsc@runtux.com>
date	Fri, 04 Jul 2014 15:32:28 +0200
parents	a4dc087f3088
children	276fe92c81c9

comparison

equal deleted inserted replaced

-:fa268ea457db
+:a403c29ffaf9
 db.security.addPermissionToRole('Coordinator', 'Edit', cl)
 db.security.addPermissionToRole('Coordinator', 'Create', cl)
 db.security.addPermissionToRole('Coordinator', 'SB: May Classify')
-# May users view other user information? Comment these lines out
+# Allow Users and Developers to view most user properties.
-# if you don't want them to
+p =  db.security.addPermission(name='View', klass='user',
-db.security.addPermissionToRole('User', 'View', 'user')
+properties=('id', 'username', 'address', 'realname', 'phone',
-db.security.addPermissionToRole('Developer', 'View', 'user')
+'organisation', 'alternate_addresses', 'timezone'))
+db.security.addPermissionToRole('User', p)
+db.security.addPermissionToRole('Developer', p)
+# Coordinator may view all user properties.
 db.security.addPermissionToRole('Coordinator', 'View', 'user')
 # Allow Coordinator to edit any user, including their roles.
 db.security.addPermissionToRole('Coordinator', 'Edit', 'user')
 db.security.addPermissionToRole('Coordinator', 'Web Roles')

Mercurial > p > roundup > code

comparison website/issues/schema.py @ 4902:a403c29ffaf9