Mercurial > p > roundup > code
view doc/features.txt @ 8411:ef1ea918b07a reauth-confirm_id
feat(security): Add user confirmation/reauth for sensitive changes
Auditors can raise Reauth(reason) exception to require the user to
enter a token (e.g. account password) to verify the user is performing
the change.
Naming is subject to change.
actions.py: New ReauthAction class handler and verifyPassword() method
for overriding if needed.
client.py: Handle Reauth exception by calling Client:reauth() method.
Default client:reauth method. Add 'reauth' action declaration.
exceptions.py: Define and document Reauth exception as a subclass of
RoundupCGIException.
templating.py: Define method utils.embed_form_fields().
The original form making a change to the database has a lot of form
fields. These need to be resubmitted to Roundup as part of the form
submission that verifies the user's password.
This method turns all non file form fields into type=hidden inputs.
It escapes the names and values to prevent XSS.
For file form fields, it base64 encodes the contents and puts them
in hidden pre blocks. The pre blocks have data attributes for the
filename, filetype and the original field name. (Note the original
field name is not used.)
This stops the file content data (maybe binary e.g. jpegs) from
breaking the html page. The reauth template runs JavaScript that
turns the encoded data inside the pre tags back into a file. Then
it adds a multiple file input control to the page and attaches all
the files to it. This file input is submitted with the rest of the
fields.
_generic.reauth.html (multiple tracker templates): Generates a form
with id=reauth_form to:
display any message from the Reauth exception to the user (e.g. why
user is asked to auth).
get the user's password
submit the form
embed all the form data that triggered the reauth
recreate any file data that was submitted as part of the form and
generate a new file input to push the data to the back end
It has the JavaScript routine (as an IIFE) that regenerates a file
input without user intervention.
All the TAL based tracker templates use the same form. There is also
one for the jinja2 template. The JavaScript for both is the same.
reference.txt: document embed_form_fields utility method.
upgrading.txt: initial upgrading docs.
TODO:
Finalize naming. I am leaning toward ConfirmID rather than Reauth.
Still looking for a standard name for this workflow.
Externalize the javascript in _generic.reauth.html to a seperate file
and use utils.readfile() to embed it or change the script to load it
from a @@file url.
Clean up upgrading.txt with just steps to implement and less feature
detail/internals.
Document internals/troubleshooting in reference.txt.
Add tests using live server.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 11 Aug 2025 14:01:12 -0400 |
| parents | a0f9ef08c36c |
| children | 695399dea532 |
line wrap: on
line source
.. meta:: :description: Features of using the Roundup Issue Tracker. Describes all access methods, configuration and workflow capabilities. Links to detailed documentation. ================ Roundup Features ================ Roundup is an easy-to-use and -install issue-tracking system with web, e-mail and command-line interfaces. Based on the winning design from Ka-Ping Yee in the :index:`Software Carpentry` "Track" design competition. **Installation and Setup** - Start using the software in `instant-gratification (demo) mode`_ with ``python demo.py`` or `a Docker container`_ in under 5 minutes. - Choose from `five included templates`_ for your tracker. - `Customize`_ and use the demo as a template for your production tracker. - No need for additional support software, just Python (3.7+) to get started. - Basic installation (including a web interface) takes about 30 minutes. - Supports embedded databases like `SQLite`_ and dbm. Upgradable to databases like `MySQL`_ or `PostgreSQL`_ if needed. - Can be run in a container like Docker or kubernetes. - Deploy in your network as a standalone web server or `through various methods`_ like WSGI, FastCGI, plain CGI, etc. - Essential tracking features depend on the Python standard library. Supplementary packages from PyPI are optional and can be tailored to fit your unique threat model and security needs. **Issue Tracking and Management** - Manage your issues your way. Handle bugs, features, milestones, user feedback, fleet maintenance, office issues etc. - Issues become a mini mailing list to keep everyone informed. - Searches on specific properties (e.g. open issues with a high priority) can be saved and reused or shared with other users. - Full Text Search for quick searches across messages. - Keeps a detailed history of issue changes. - Email is a first class method for interacting with issues. **Scalability and Performance** - Default trackers use simple HTML with low resource requirements. - Fast and scalable with sqlite, mysql, and postgresql backends. - Indexes are automatically configured. - Supports full-text indexing engines (xapian, whoosh, SQLite, PostgreSQL) for large trackers. **Customization** - The database schema can be updated to `track additional data`_. - The web interface can be redesigned to fit your workflow. - Extensible web interface with various features like `wizards`_, bug displays, etc. - Add business rules using `auditors and reactors`_ for actions before and after database changes. - Comprehensive documentation for customization, installation, maintenance, and user guidance. **Data Security, Privacy and Authorization** - Your data remains on your servers. - You can choose if AI can access the data. - Can use HTTPS for security over the web. - Fine-grained authorization (`ABAC`_, `ReBAC`_, `RBAC`_) based on user, resource, and external properties. .. _`ABAC`: https://en.wikipedia.org/wiki/Attribute-based_access_control .. _`ReBAC`: https://en.wikipedia.org/wiki/Relationship-based_access_control .. _`RBAC`: https://en.wikipedia.org/wiki/Role-based_access_control **Documentation and User Management** - Users can sign up through the web interface or new user creation can be limited to admin users. - Can use an `external user database`_ (LDAP, password file) - Self-serve password reset for users via email. **Email Integration and Automation** - Update issues via email with new messages and the ability to change properties of issues (e.g. close an issue). - Secure email handling with features like TLS, APOP, IMAPS/OAUTH. - Optional auto-registration for email users. - Configurable nosy list for each issue controls email notifications. - Proper handling of email attachments and content types. **Command-Line and API Access** - Manage database interactively from the command line. - Automate modifications using standard shell scripting. - Python programs can use the Roundup Python API to manage/automate issues. - Sample scripts provided for various tasks. **Remote Access Interfaces** - `RESTful API`_ accessible with basic HTTP authentication or optional JWT. - `XMLRPC interface`_ for remote tracker access with basic HTTP authentication. - Configurable CORS support for third-party web pages. - Ability to `generate and authenticate JSON Web Tokens (JWT) <rest.html#changing-access-roles-with-json-web-tokens>`_. .. _`auditors and reactors`: reference.html#auditor-or-reactor .. _`customize`: customizing.html .. _`external user database`: customizing.html#using-external-user-databases .. _`five included templates`: installation.html#choosing-your-template .. _`instant-gratification (demo) mode`: installation.html#for-the-really-impatient .. _`a Docker container`: installation.html#running-in-demo-mode-with-docker .. _mysql: https://pypi.org/project/MySQL-python/ .. _postgresql: https://www.psycopg.org/ .. _`restful api`: rest.html .. _`run in a container`: installation.html#docker-support .. _sqlite: https://www.sqlite.org/index.html .. _`track additional data`: customizing.html#adding-a-new-field-to-the-classic-schema .. _`through various methods`: installation.html#configure-a-web-interface .. _wizards: customizing.html#setting-up-a-wizard-or-druid-for-controlled-adding-of-issues .. _`xmlrpc interface`: xmlrpc.html