Mercurial > p > roundup > code
changeset 5113:cf112b90fa8d
issue2550855: added search perms for anonymous to the user class.
This lets the "show unassigned" search work for anonymous.
Patch by Stuart McGraw.
Added warning to upgrading.txt and a comment block before the schema
change in every template tracker except minimal (doesn't have the
search).
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Thu, 30 Jun 2016 21:08:15 -0400 |
| parents | 8901cc4ef0e0 |
| children | f74300d1494e |
| files | CHANGES.txt doc/upgrading.txt share/roundup/templates/classic/schema.py share/roundup/templates/devel/schema.py share/roundup/templates/jinja2/schema.py share/roundup/templates/responsive/schema.py |
| diffstat | 6 files changed, 52 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Thu Jun 30 20:38:23 2016 -0400 +++ b/CHANGES.txt Thu Jun 30 21:08:15 2016 -0400 @@ -195,6 +195,13 @@ porter stemmer will work. This means capitalization is not preserved. Fix done by David Wolever (wolever). Committed and doc updates John Rouillard. +- issue2550855: "show unassigned" link shows all open issues if not + logged in. This adds permission for the anonymous user to search + the users class. Without this the unassigned search can't see if + there is a user assigned to an issue, so it acts like all open + issues. Patch supplied by Stuart McGraw (smcgraw). For caveats + see ``upgrading.txt`` and the comments in the default templates. + (Docs created and applcation by John Rouillard) 2016-01-11: 1.5.1
--- a/doc/upgrading.txt Thu Jun 30 20:38:23 2016 -0400 +++ b/doc/upgrading.txt Thu Jun 30 21:08:15 2016 -0400 @@ -118,6 +118,19 @@ devel templates and has not changed the html/_generic.404.html file, you can copy in the new file to get this additional functionality. +Schema change to allow "Show Unassigned" issues link to work for Anonymous user +------------------------------------------------------------------------------- + +In this release the anonymous user is allowed to search the user +class. The following was added to the schema for all templates that +provide the search option:: + + p = db.security.addPermission(name='Search', klass='user') + db.security.addPermissionToRole ('Anonymous', p) + +If you are running a tracker that **does not** allow read access for +anonymous, you should remove this entry as it can be used to perform +a username guessing attack against a roundup install. Migrating from 1.5.0 to 1.5.1 =============================
--- a/share/roundup/templates/classic/schema.py Thu Jun 30 20:38:23 2016 -0400 +++ b/share/roundup/templates/classic/schema.py Thu Jun 30 21:08:15 2016 -0400 @@ -170,6 +170,14 @@ for cl in 'issue', 'file', 'msg', 'keyword', 'priority', 'status': db.security.addPermissionToRole('Anonymous', 'View', cl) +# Allow the anonymous user to use the "Show Unassigned" search. +# It acts like "Show Open" if this permission is not available. +# If you are running a tracker that does not allow read access for +# anonymous, you should remove this entry as it can be used to perform +# a username guessing attack against a roundup install. +p = db.security.addPermission(name='Search', klass='user') +db.security.addPermissionToRole ('Anonymous', p) + # [OPTIONAL] # Allow anonymous users access to create or edit "issue" items (and the # related file and message items)
--- a/share/roundup/templates/devel/schema.py Thu Jun 30 20:38:23 2016 -0400 +++ b/share/roundup/templates/devel/schema.py Thu Jun 30 21:08:15 2016 -0400 @@ -377,6 +377,14 @@ for cl in 'bug', 'severity', 'status', 'resolution', 'msg', 'file': db.security.addPermissionToRole('Anonymous', 'View', cl) +# Allow the anonymous user to use the "Show Unassigned" search. +# It acts like "Show Open" if this permission is not available. +# If you are running a tracker that does not allow read access for +# anonymous, you should remove this entry as it can be used to perform +# a username guessing attack against a roundup install. +p = db.security.addPermission(name='Search', klass='user') +db.security.addPermissionToRole ('Anonymous', p) + # [OPTIONAL] # Allow anonymous users access to create or edit "issue" items (and the # related file and message items)
--- a/share/roundup/templates/jinja2/schema.py Thu Jun 30 20:38:23 2016 -0400 +++ b/share/roundup/templates/jinja2/schema.py Thu Jun 30 21:08:15 2016 -0400 @@ -170,6 +170,14 @@ for cl in 'issue', 'file', 'msg', 'keyword', 'priority', 'status': db.security.addPermissionToRole('Anonymous', 'View', cl) +# Allow the anonymous user to use the "Show Unassigned" search. +# It acts like "Show Open" if this permission is not available. +# If you are running a tracker that does not allow read access for +# anonymous, you should remove this entry as it can be used to perform +# a username guessing attack against a roundup install. +p = db.security.addPermission(name='Search', klass='user') +db.security.addPermissionToRole ('Anonymous', p) + # [OPTIONAL] # Allow anonymous users access to create or edit "issue" items (and the # related file and message items)
--- a/share/roundup/templates/responsive/schema.py Thu Jun 30 20:38:23 2016 -0400 +++ b/share/roundup/templates/responsive/schema.py Thu Jun 30 21:08:15 2016 -0400 @@ -376,6 +376,14 @@ for cl in 'bug', 'severity', 'status', 'resolution', 'msg', 'file': db.security.addPermissionToRole('Anonymous', 'View', cl) +# Allow the anonymous user to use the "Show Unassigned" search. +# It acts like "Show Open" if this permission is not available. +# If you are running a tracker that does not allow read access for +# anonymous, you should remove this entry as it can be used to perform +# a username guessing attack against a roundup install. +p = db.security.addPermission(name='Search', klass='user') +db.security.addPermissionToRole ('Anonymous', p) + # [OPTIONAL] # Allow anonymous users access to create or edit "issue" items (and the # related file and message items)