Mercurial > p > roundup > code
diff doc/user_guide.txt @ 7093:f72ce883e677
Mitigation for issue2551246 -u opton to roundup-admin
The -u option ignores the password and doesn't limit access to the
data.
Not a huge issue as currently anybody running it must have read access
to the tracker home and all the credentials. So they can change the
data directly using a db client or read anything they want.
But this wasn't documented. Now it is.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 30 Nov 2022 02:09:16 -0500 |
| parents | f0d39308819f |
| children | 86862ed039fa |
line wrap: on
line diff
--- a/doc/user_guide.txt Wed Nov 30 00:01:48 2022 -0500 +++ b/doc/user_guide.txt Wed Nov 30 02:09:16 2022 -0500 @@ -850,6 +850,20 @@ If either the name or password is not supplied, they are obtained from the command-line. +The ``-u user`` setting does not currently operate like a +user logging in via the web. The user running roundup-admin +must have read access to the tracker home directory. As a +result the user has access to the files and the database +info contained in config.ini. + +Using ``-u user`` sets the actor/user parameter in the +journal. Changes that are made are attributed to that +user. The password is ignored if provided. Any existing +username has full access to the data just like the admin +user. This is an area for further development so that +roundup-admin could be used with sudo to provide secure +command line access to a tracker. + When you initialise a new tracker instance you are prompted for the admin password. If you want to initialise a tracker non-interactively you can put the initialise command and password on the command