Mercurial Repository: p/roundup/code: doc/upgrading.txt comparison

comparison doc/upgrading.txt @ 5113:cf112b90fa8d

issue2550855: added search perms for anonymous to the user class. This lets the "show unassigned" search work for anonymous. Patch by Stuart McGraw. Added warning to upgrading.txt and a comment block before the schema change in every template tracker except minimal (doesn't have the search).

author	John Rouillard <rouilj@ieee.org>
date	Thu, 30 Jun 2016 21:08:15 -0400
parents	67fad01d2009
children	722394a48d7b

comparison

equal deleted inserted replaced

-:8901cc4ef0e0
+:cf112b90fa8d
 If your deployed tracker is based on: classic, minimal, responsive or
 devel templates and has not changed the html/_generic.404.html file,
 you can copy in the new file to get this additional functionality.
+Schema change to allow "Show Unassigned" issues link to work for Anonymous user
+-------------------------------------------------------------------------------
+In this release the anonymous user is allowed to search the user
+class. The following was added to the schema for all templates that
+provide the search option::
+p = db.security.addPermission(name='Search', klass='user')
+db.security.addPermissionToRole ('Anonymous', p)
+If you are running a tracker that **does not** allow read access for
+anonymous, you should remove this entry as it can be used to perform
+a username guessing attack against a roundup install.
 Migrating from 1.5.0 to 1.5.1
 =============================
 User data visibility

Mercurial > p > roundup > code

comparison doc/upgrading.txt @ 5113:cf112b90fa8d