Mercurial > p > roundup > code
changeset 8231:984bc9f94ec6
chore: format schema.pys in templates so ruff is ok.
Also makes comparing them easier.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 21 Dec 2024 15:23:12 -0500 |
| parents | eb45feb1d01e |
| children | d0460348bf9a |
| files | share/roundup/templates/classic/schema.py share/roundup/templates/devel/schema.py share/roundup/templates/jinja2/schema.py share/roundup/templates/minimal/schema.py share/roundup/templates/responsive/schema.py |
| diffstat | 5 files changed, 54 insertions(+), 19 deletions(-) [+] |
line wrap: on
line diff
--- a/share/roundup/templates/classic/schema.py Thu Dec 19 17:58:10 2024 -0500 +++ b/share/roundup/templates/classic/schema.py Sat Dec 21 15:23:12 2024 -0500 @@ -103,16 +103,19 @@ # May users view other user information? Comment these lines out # if you don't want them to -p = db.security.addPermission(name='View', klass='user', +p = db.security.addPermission(name='View', klass='user', properties=('id', 'organisation', 'phone', 'realname', 'timezone', 'username')) db.security.addPermissionToRole('User', p) + # Users should be able to edit their own details -- this permission is # limited to only the situation where the Viewed or Edited item is their own. def own_record(db, userid, itemid): '''Determine whether the userid matches the item being accessed.''' return userid == itemid + + p = db.security.addPermission(name='View', klass='user', check=own_record, description="User is allowed to view their own user details") db.security.addPermissionToRole('User', p) @@ -122,6 +125,7 @@ description="User is allowed to edit their own user details") db.security.addPermissionToRole('User', p) + # Users should be able to edit and view their own queries. They should also # be able to view any marked as not private. They should not be able to # edit others' queries, even if they're not private @@ -129,8 +133,12 @@ private_for = db.query.get(itemid, 'private_for') if not private_for: return True return userid == private_for + + def edit_query(db, userid, itemid): return userid == db.query.get(itemid, 'creator') + + p = db.security.addPermission(name='View', klass='query', check=view_query, description="User is allowed to view their own and public queries") db.security.addPermissionToRole('User', p) @@ -181,7 +189,7 @@ # anonymous, you should remove this entry as it can be used to perform # a username guessing attack against a roundup install. p = db.security.addPermission(name='Search', klass='user') -db.security.addPermissionToRole ('Anonymous', p) +db.security.addPermissionToRole('Anonymous', p) # [OPTIONAL] # Allow anonymous users access to create or edit "issue" items (and the
--- a/share/roundup/templates/devel/schema.py Thu Dec 19 17:58:10 2024 -0500 +++ b/share/roundup/templates/devel/schema.py Sat Dec 21 15:23:12 2024 -0500 @@ -27,7 +27,6 @@ revision=String()) - # Component component = Class(db, 'component', name=String(), @@ -76,7 +75,7 @@ name=String(), description=String()) keyword.setkey("name") - + # User-defined saved searches query = Class(db, "query", @@ -209,7 +208,7 @@ db.security.addPermissionToRole(r, 'Email Access') db.security.addPermissionToRole(r, 'Rest Access') db.security.addPermissionToRole(r, 'Xmlrpc Access') - + ########################## # User permissions ########################## @@ -225,11 +224,12 @@ 'version', 'priority', 'status', 'resolution', 'bug_type', 'bug', 'file', 'msg'): db.security.addPermissionToRole('User', 'Create', cl) - + def may_edit_file(db, userid, itemid): return userid == db.file.get(itemid, "creator") + p = db.security.addPermission(name='Edit', klass='file', check=may_edit_file, description="User is allowed to remove their own files") db.security.addPermissionToRole('User', p) @@ -297,7 +297,7 @@ # May users view other user information? Comment these lines out # if you don't want them to -p = db.security.addPermission(name='View', klass='user', +p = db.security.addPermission(name='View', klass='user', properties=('id', 'organisation', 'phone', 'realname', 'timezone', 'vcs_name', 'username')) db.security.addPermissionToRole('User', p) @@ -310,11 +310,14 @@ db.security.addPermissionToRole('Coordinator', 'Edit', 'user') db.security.addPermissionToRole('Coordinator', 'Web Roles') + # Users should be able to edit their own details -- this permission is # limited to only the situation where the Viewed or Edited item is their own. def own_record(db, userid, itemid): '''Determine whether the userid matches the item being accessed.''' return userid == itemid + + p = db.security.addPermission(name='View', klass='user', check=own_record, description="User is allowed to view their own user details") for r in 'User', 'Developer', 'Coordinator': @@ -326,10 +329,11 @@ 'phone', 'organisation', 'alternate_addresses', 'queries', - 'timezone')) # Note: 'roles' excluded - users should not be able to edit their own roles. + 'timezone')) # Note: 'roles' excluded - users should not be able to edit their own roles. for r in 'User', 'Developer': db.security.addPermissionToRole(r, p) + # Users should be able to edit and view their own queries. They should also # be able to view any marked as not private. They should not be able to # edit others' queries, even if they're not private @@ -337,8 +341,12 @@ private_for = db.query.get(itemid, 'private_for') if not private_for: return True return userid == private_for + + def edit_query(db, userid, itemid): return userid == db.query.get(itemid, 'creator') + + p = db.security.addPermission(name='View', klass='query', check=view_query, description="User is allowed to view their own and public queries") p = db.security.addPermission(name='Search', klass='query') @@ -387,7 +395,7 @@ # anonymous, you should remove this entry as it can be used to perform # a username guessing attack against a roundup install. p = db.security.addPermission(name='Search', klass='user') -db.security.addPermissionToRole ('Anonymous', p) +db.security.addPermissionToRole('Anonymous', p) # [OPTIONAL] # Allow anonymous users access to create or edit "issue" items (and the
--- a/share/roundup/templates/jinja2/schema.py Thu Dec 19 17:58:10 2024 -0500 +++ b/share/roundup/templates/jinja2/schema.py Sat Dec 21 15:23:12 2024 -0500 @@ -103,16 +103,19 @@ # May users view other user information? Comment these lines out # if you don't want them to -p = db.security.addPermission(name='View', klass='user', +p = db.security.addPermission(name='View', klass='user', properties=('id', 'organisation', 'phone', 'realname', 'timezone', 'username')) db.security.addPermissionToRole('User', p) + # Users should be able to edit their own details -- this permission is # limited to only the situation where the Viewed or Edited item is their own. def own_record(db, userid, itemid): '''Determine whether the userid matches the item being accessed.''' return userid == itemid + + p = db.security.addPermission(name='View', klass='user', check=own_record, description="User is allowed to view their own user details") db.security.addPermissionToRole('User', p) @@ -122,6 +125,7 @@ description="User is allowed to edit their own user details") db.security.addPermissionToRole('User', p) + # Users should be able to edit and view their own queries. They should also # be able to view any marked as not private. They should not be able to # edit others' queries, even if they're not private @@ -129,8 +133,12 @@ private_for = db.query.get(itemid, 'private_for') if not private_for: return True return userid == private_for + + def edit_query(db, userid, itemid): return userid == db.query.get(itemid, 'creator') + + p = db.security.addPermission(name='View', klass='query', check=view_query, description="User is allowed to view their own and public queries") db.security.addPermissionToRole('User', p) @@ -181,7 +189,7 @@ # anonymous, you should remove this entry as it can be used to perform # a username guessing attack against a roundup install. p = db.security.addPermission(name='Search', klass='user') -db.security.addPermissionToRole ('Anonymous', p) +db.security.addPermissionToRole('Anonymous', p) # [OPTIONAL] # Allow anonymous users access to create or edit "issue" items (and the
--- a/share/roundup/templates/minimal/schema.py Thu Dec 19 17:58:10 2024 -0500 +++ b/share/roundup/templates/minimal/schema.py Sat Dec 21 15:23:12 2024 -0500 @@ -34,15 +34,18 @@ # May users view other user information? # Comment these lines out if you don't want them to -p = db.security.addPermission(name='View', klass='user', +p = db.security.addPermission(name='View', klass='user', properties=('id', 'username')) db.security.addPermissionToRole('User', p) + # Users should be able to edit their own details -- this permission is # limited to only the situation where the Viewed or Edited item is their own. def own_record(db, userid, itemid): '''Determine whether the userid matches the item being accessed.''' return userid == itemid + + p = db.security.addPermission(name='View', klass='user', check=own_record, description="User is allowed to view their own user details") db.security.addPermissionToRole('User', p)
--- a/share/roundup/templates/responsive/schema.py Thu Dec 19 17:58:10 2024 -0500 +++ b/share/roundup/templates/responsive/schema.py Sat Dec 21 15:23:12 2024 -0500 @@ -27,7 +27,6 @@ revision=String()) - # Component component = Class(db, 'component', name=String(), @@ -76,7 +75,7 @@ name=String(), description=String()) keyword.setkey("name") - + # User-defined saved searches query = Class(db, "query", @@ -209,7 +208,7 @@ db.security.addPermissionToRole(r, 'Rest Access') db.security.addPermissionToRole(r, 'Xmlrpc Access') - + ########################## # User permissions ########################## @@ -225,11 +224,12 @@ 'version', 'priority', 'status', 'resolution', 'bug_type', 'bug', 'file', 'msg'): db.security.addPermissionToRole('User', 'Create', cl) - + def may_edit_file(db, userid, itemid): return userid == db.file.get(itemid, "creator") + p = db.security.addPermission(name='Edit', klass='file', check=may_edit_file, description="User is allowed to remove their own files") db.security.addPermissionToRole('User', p) @@ -297,7 +297,7 @@ # May users view other user information? Comment these lines out # if you don't want them to -p = db.security.addPermission(name='View', klass='user', +p = db.security.addPermission(name='View', klass='user', properties=('id', 'organisation', 'phone', 'realname', 'timezone', 'username', 'vcs_name')) db.security.addPermissionToRole('User', p) @@ -310,11 +310,14 @@ db.security.addPermissionToRole('Coordinator', 'Edit', 'user') db.security.addPermissionToRole('Coordinator', 'Web Roles') + # Users should be able to edit their own details -- this permission is # limited to only the situation where the Viewed or Edited item is their own. def own_record(db, userid, itemid): '''Determine whether the userid matches the item being accessed.''' return userid == itemid + + p = db.security.addPermission(name='View', klass='user', check=own_record, description="User is allowed to view their own user details") for r in 'User', 'Developer', 'Coordinator': @@ -326,10 +329,11 @@ 'phone', 'organisation', 'alternate_addresses', 'queries', - 'timezone')) # Note: 'roles' excluded - users should not be able to edit their own roles. + 'timezone')) # Note: 'roles' excluded - users should not be able to edit their own roles. for r in 'User', 'Developer': db.security.addPermissionToRole(r, p) + # Users should be able to edit and view their own queries. They should also # be able to view any marked as not private. They should not be able to # edit others' queries, even if they're not private @@ -337,8 +341,12 @@ private_for = db.query.get(itemid, 'private_for') if not private_for: return True return userid == private_for + + def edit_query(db, userid, itemid): return userid == db.query.get(itemid, 'creator') + + p = db.security.addPermission(name='View', klass='query', check=view_query, description="User is allowed to view their own and public queries") p = db.security.addPermission(name='Search', klass='query') @@ -387,7 +395,7 @@ # anonymous, you should remove this entry as it can be used to perform # a username guessing attack against a roundup install. p = db.security.addPermission(name='Search', klass='user') -db.security.addPermissionToRole ('Anonymous', p) +db.security.addPermissionToRole('Anonymous', p) # [OPTIONAL] # Allow anonymous users access to create or edit "issue" items (and the