Mercurial > p > roundup > code

changeset 5897:d0aebd4aec72

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Provide a method for identifying invalid properties in permissions issue2551062: roundup-admin security validates all properties in permissions. It reports invalid properties.
author John Rouillard <rouilj@ieee.org>
date Sat, 05 Oct 2019 12:33:23 -0400
parents a8df94ec8040
children be8524335bfa
files CHANGES.txt doc/customizing.txt roundup/admin.py
diffstat 3 files changed, 27 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES.txt	Wed Oct 02 22:06:02 2019 -0400
+++ b/CHANGES.txt	Sat Oct 05 12:33:23 2019 -0400
@@ -97,7 +97,9 @@
 - issue2551059: added new values for tx_Source to indicate when /rest
   or /xmlrpc endpoint is being used rather than the normal web
   endpoints. (John Rouillard)
-  
+- issue2551062: roundup-admin security now validates all properties in
+  permissions. It reports invalid properties. (John Rouillard)
+
 Fixed:
 
 - issue2550811: work around Unicode encoding issues in jinja2 template
--- a/doc/customizing.txt	Wed Oct 02 22:06:02 2019 -0400
+++ b/doc/customizing.txt	Sat Oct 05 12:33:23 2019 -0400
@@ -1258,6 +1258,10 @@
     #   db.security.addPermissionToRole('Anonymous', 'Create', cl)
     #   db.security.addPermissionToRole('Anonymous', 'Edit', cl)
 
+You can use ``roundup-admin security`` to verify the permissions
+defined in the schema. It also verifies that properties specified in
+permissions are valid for the class. This helps detect typos that can
+cause baffling permission issues.
 
 Automatic Permission Checks
 ---------------------------
@@ -1344,6 +1348,15 @@
   including properties would be used only for determining the
   access permission for those properties.
 
+  ``roundup-admin security`` will report invalid properties for the
+  class. For example a permission with an invalid summary property is
+  presented as::
+
+     Allowed to see content of object regardless of spam status
+        (View for "file": ('content', 'summary') only)
+
+     **Invalid properties for file: ['summary']
+
   Setting ``props_only=True`` will make the permission valid only for
   those properties.
 
--- a/roundup/admin.py	Wed Oct 02 22:06:02 2019 -0400
+++ b/roundup/admin.py	Sat Oct 05 12:33:23 2019 -0400
@@ -1446,6 +1446,17 @@
                     if permission.properties:
                         sys.stdout.write( _(' %(description)s (%(name)s for "%(klass)s"' +
                           ': %(properties)s only)\n')%d )
+                        # verify that properties exist; report bad props
+                        bad_props=[]
+                        cl = self.db.getclass(permission.klass)
+                        class_props = cl.getprops(protected=True)
+                        for p in permission.properties:
+                            if p in class_props:
+                                continue
+                            else:
+                                bad_props.append(p)
+                        if bad_props:
+                            sys.stdout.write( _('\n  **Invalid properties for %(class)s: %(props)s\n\n') % { "class": permission.klass, "props": bad_props })
                     else:
                         sys.stdout.write( _(' %(description)s (%(name)s for "%(klass)s" ' +
                             'only)\n')%d )
Roundup Issue Tracker: http://roundup-tracker.org/