Mercurial > p > roundup > code
changeset 6466:258385cad27e
Add search perm and update default perms
Search permission was not documented. Add that.
Doc of schema permissions had diverged from classic
template. Update from current classic template.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 11 Aug 2021 12:45:04 -0400 |
| parents | bed1313898d4 |
| children | 679ec82798e9 |
| files | doc/customizing.txt |
| diffstat | 1 files changed, 48 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/doc/customizing.txt Fri Aug 06 01:20:45 2021 -0400 +++ b/doc/customizing.txt Wed Aug 11 12:45:04 2021 -0400 @@ -1694,6 +1694,7 @@ - Create (everything) - Edit (everything) +- Search (everything) (used if View does not permit access) - View (everything) - Register (User class only) @@ -1721,7 +1722,7 @@ These are hooked into the default Roles: -- Admin (Create, Edit, View and everything; Web Roles) +- Admin (Create, Edit, Search, View and everything; Web Roles) - User (Web Access; Email Access) - Anonymous (Web Access) @@ -1760,7 +1761,7 @@ # Assign the access and edit Permissions for issue, file and message # to regular users now - for cl in 'issue', 'file', 'msg', 'query', 'keyword': + for cl in 'issue', 'file', 'msg', 'keyword': db.security.addPermissionToRole('User', 'View', cl) db.security.addPermissionToRole('User', 'Edit', cl) db.security.addPermissionToRole('User', 'Create', cl) @@ -1769,11 +1770,13 @@ # May users view other user information? Comment these lines out # if you don't want them to - db.security.addPermissionToRole('User', 'View', 'user') - - # Users should be able to edit their own details -- this permission - # is limited to only the situation where the Viewed or Edited item - # is their own. + p = db.security.addPermission(name='View', klass='user', + properties=('id', 'organisation', 'phone', 'realname', 'timezone', + 'username')) + db.security.addPermissionToRole('User', p) + + # Users should be able to edit their own details -- this permission is + # limited to only the situation where the Viewed or Edited item is their own. def own_record(db, userid, itemid, **ctx): '''Determine whether the userid matches the item being accessed.''' return userid == itemid @@ -1781,9 +1784,38 @@ description="User is allowed to view their own user details") db.security.addPermissionToRole('User', p) p = db.security.addPermission(name='Edit', klass='user', check=own_record, + properties=('username', 'password', 'address', 'realname', 'phone', + 'organisation', 'alternate_addresses', 'queries', 'timezone'), description="User is allowed to edit their own user details") db.security.addPermissionToRole('User', p) + # Users should be able to edit and view their own queries. They should also + # be able to view any marked as not private. They should not be able to + # edit others' queries, even if they're not private + def view_query(db, userid, itemid): + private_for = db.query.get(itemid, 'private_for') + if not private_for: return True + return userid == private_for + def edit_query(db, userid, itemid): + return userid == db.query.get(itemid, 'creator') + p = db.security.addPermission(name='View', klass='query', check=view_query, + description="User is allowed to view their own and public queries") + db.security.addPermissionToRole('User', p) + p = db.security.addPermission(name='Search', klass='query') + db.security.addPermissionToRole('User', p) + p = db.security.addPermission(name='Edit', klass='query', check=edit_query, + description="User is allowed to edit their queries") + db.security.addPermissionToRole('User', p) + p = db.security.addPermission(name='Retire', klass='query', check=edit_query, + description="User is allowed to retire their queries") + db.security.addPermissionToRole('User', p) + p = db.security.addPermission(name='Restore', klass='query', check=edit_query, + description="User is allowed to restore their queries") + db.security.addPermissionToRole('User', p) + p = db.security.addPermission(name='Create', klass='query', + description="User is allowed to create queries") + db.security.addPermissionToRole('User', p) + # # ANONYMOUS USER PERMISSIONS # @@ -1802,13 +1834,21 @@ # Assign the appropriate permissions to the anonymous user's Anonymous # Role. Choices here are: # - Allow anonymous users to register - db.security.addPermissionToRole('Anonymous', 'Create', 'user') + db.security.addPermissionToRole('Anonymous', 'Register', 'user') # Allow anonymous users access to view issues (and the related, linked # information) for cl in 'issue', 'file', 'msg', 'keyword', 'priority', 'status': db.security.addPermissionToRole('Anonymous', 'View', cl) + # Allow the anonymous user to use the "Show Unassigned" search. + # It acts like "Show Open" if this permission is not available. + # If you are running a tracker that does not allow read access for + # anonymous, you should remove this entry as it can be used to perform + # a username guessing attack against a roundup install. + p = db.security.addPermission(name='Search', klass='user') + db.security.addPermissionToRole ('Anonymous', p) + # [OPTIONAL] # Allow anonymous users access to create or edit "issue" items (and the # related file and message items)