Mercurial > p > roundup > code
diff doc/upgrading.txt @ 4902:a403c29ffaf9
Security fix default user permissions
Default user permissions should not include all user attributes. We now
limit this to the username, realname and some further attributes
depending on the schema. Note that we no longer include the email
addresses, depending on your installation you may want to further
restrict this or add some attributes like ``address`` and
``alternate_addresses``.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 04 Jul 2014 15:32:28 +0200 |
| parents | fa268ea457db |
| children | cf22972fe080 |
line wrap: on
line diff
--- a/doc/upgrading.txt Wed Jun 25 13:19:42 2014 +1000 +++ b/doc/upgrading.txt Fri Jul 04 15:32:28 2014 +0200 @@ -23,6 +23,23 @@ Migrating from 1.5.0 to 1.5.1 ============================= +For security reasons you should change the permissions on the user +class. We previously shipped a configuration that allowed users to see +too many of other users details, including hashed passwords under +certain circumstances. In schema.py in your tracker, replace the line:: + + db.security.addPermissionToRole('User', 'View', 'user') + +with:: + + p = db.security.addPermission(name='View', klass='user', + properties=('id', 'organisation', 'phone', 'realname', + 'timezone', 'username')) + db.security.addPermissionToRole('User', p) + +Note that this removes visibility of user emails, if you want emails to +be visible you can add 'address' and 'alternate_addresses' to the list +above. If you have defined your own cgi actions in your tracker instance (e.g. in a custom ``extensions/spambayes.py`` file) you need to modify all cases where client.error_message or client.ok_message are modified