Mercurial > p > roundup > code
diff share/roundup/templates/jinja2/schema.py @ 5113:cf112b90fa8d
issue2550855: added search perms for anonymous to the user class.
This lets the "show unassigned" search work for anonymous.
Patch by Stuart McGraw.
Added warning to upgrading.txt and a comment block before the schema
change in every template tracker except minimal (doesn't have the
search).
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 30 Jun 2016 21:08:15 -0400 |
| parents | a403c29ffaf9 |
| children | 94a7669677ae |
line wrap: on
line diff
--- a/share/roundup/templates/jinja2/schema.py Thu Jun 30 20:38:23 2016 -0400 +++ b/share/roundup/templates/jinja2/schema.py Thu Jun 30 21:08:15 2016 -0400 @@ -170,6 +170,14 @@ for cl in 'issue', 'file', 'msg', 'keyword', 'priority', 'status': db.security.addPermissionToRole('Anonymous', 'View', cl) +# Allow the anonymous user to use the "Show Unassigned" search. +# It acts like "Show Open" if this permission is not available. +# If you are running a tracker that does not allow read access for +# anonymous, you should remove this entry as it can be used to perform +# a username guessing attack against a roundup install. +p = db.security.addPermission(name='Search', klass='user') +db.security.addPermissionToRole ('Anonymous', p) + # [OPTIONAL] # Allow anonymous users access to create or edit "issue" items (and the # related file and message items)