From 697470498ceb8616fc9d85afde7395d5a5451c17 Mon Sep 17 00:00:00 2001 From: richard Date: Fri, 12 Mar 2004 05:36:26 +0000 Subject: [PATCH] security fixes and doc updates git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/trunk@2146 57a73879-2fb5-44c3-a270-3262357dd7e2 --- doc/customizing.txt | 20 ++++++++------- doc/upgrading.txt | 42 ++++++++++++++++++++++++++++++++ roundup/backends/back_anydbm.py | 8 +++++- roundup/backends/back_metakit.py | 9 ++++++- roundup/backends/rdbms_common.py | 8 +++++- templates/classic/dbinit.py | 11 +++------ templates/minimal/dbinit.py | 9 +------ 7 files changed, 79 insertions(+), 28 deletions(-) diff --git a/doc/customizing.txt b/doc/customizing.txt index 51c83b4..e5170c3 100644 --- a/doc/customizing.txt +++ b/doc/customizing.txt @@ -2,7 +2,7 @@ Customising Roundup =================== -:Version: $Revision: 1.118 $ +:Version: $Revision: 1.119 $ .. This document borrows from the ZopeBook section on ZPT. The original is at: http://www.zope.org/Documentation/Books/ZopeBook/current/ZPT.stx @@ -613,6 +613,9 @@ A set of Permissions is built into the security module by default: - Edit (everything) - View (everything) +Every Class you define in your tracker's schema also gets an Edit and View +Permission of its own. + The default interfaces define: - Web Registration @@ -643,13 +646,6 @@ settings appear in the ``open()`` function of the tracker ``dbinit.py`` # # SECURITY SETTINGS # - # new permissions for this schema - for cl in ('user', ): - db.security.addPermission(name="Edit", klass=cl, - description="User is allowed to edit "+cl) - db.security.addPermission(name="View", klass=cl, - description="User is allowed to access "+cl) - # and give the regular users access to the web and email interface p = db.security.getPermission('Web Access') db.security.addPermissionToRole('User', p) @@ -697,7 +693,13 @@ Adding a new Permission When adding a new Permission, you will need to: -1. add it to your tracker's dbinit so it is created +1. add it to your tracker's dbinit so it is created, using + ``security.addPermission``, for example:: + + self.security.addPermission(name="View", klass='frozzle', + description="User is allowed to access frozzles") + + will set up a new "View" permission on the Class "frozzle". 2. enable it for the Roles that should have it (verify with "``roundup-admin security``") 3. add it to the relevant HTML interface templates diff --git a/doc/upgrading.txt b/doc/upgrading.txt index 2531ce8..47cd021 100644 --- a/doc/upgrading.txt +++ b/doc/upgrading.txt @@ -11,6 +11,47 @@ accordingly. Note that there is information about upgrade procedures in the Migrating from 0.6 to 0.7 ========================= +0.7.0 Permission setup +---------------------- + +0.7 automatically sets up the Edit and View Permissions for all classes, +thus you don't need to do so. Feel free to remove the code:: + + # Add new Permissions for this schema + for cl in 'issue', 'file', 'msg', 'user', 'query', 'keyword': + db.security.addPermission(name="Edit", klass=cl, + description="User is allowed to edit "+cl) + db.security.addPermission(name="View", klass=cl, + description="User is allowed to access "+cl) + +from your ``dbinit.py``. + + +0.7.0 Permission assignments +---------------------------- + +Due to a change in the rendering of web widgets, permissions are now +checked on Classes where they previously weren't (this is a good thing). + +You will need to add some additional Permission assignments for your +regular users, or some displays will break. After the following in your +tracker's ``dbinit.py``:: + + # Assign the access and edit Permissions for issue, file and message + # to regular users now + for cl in 'issue', 'file', 'msg', 'query', 'keyword': + p = db.security.getPermission('View', cl) + db.security.addPermissionToRole('User', p) + p = db.security.getPermission('Edit', cl) + db.security.addPermissionToRole('User', p) + +add:: + + for cl in 'priority', 'status': + p = db.security.getPermission('View', cl) + db.security.addPermissionToRole('User', p) + + 0.7.0 Extending the cgi interface --------------------------------- @@ -24,6 +65,7 @@ password validation source`__ example. __ customizing.html#defining-new-web-actions __ customizing.html#using-an-external-password-validation-source + 0.7.0 Getting the current user id --------------------------------- diff --git a/roundup/backends/back_anydbm.py b/roundup/backends/back_anydbm.py index 6ea53c0..4d3ad98 100644 --- a/roundup/backends/back_anydbm.py +++ b/roundup/backends/back_anydbm.py @@ -15,7 +15,7 @@ # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE, # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. # -#$Id: back_anydbm.py,v 1.135 2004-02-11 23:55:08 richard Exp $ +#$Id: back_anydbm.py,v 1.136 2004-03-12 05:36:26 richard Exp $ '''This module defines a backend that saves the hyperdatabase in a database chosen by anydbm. It is guaranteed to always be available in python versions >2.1.1 (the dumbdbm fallback in 2.1.1 and earlier has several @@ -131,6 +131,12 @@ class Database(FileStorage, hyperdb.Database, roundupdb.Database): raise ValueError, cn self.classes[cn] = cl + # add default Edit and View permissions + self.security.addPermission(name="Edit", klass=cn, + description="User is allowed to edit "+cn) + self.security.addPermission(name="View", klass=cn, + description="User is allowed to access "+cn) + def getclasses(self): '''Return a list of the names of all existing classes.''' if __debug__: diff --git a/roundup/backends/back_metakit.py b/roundup/backends/back_metakit.py index 92191c0..055782e 100755 --- a/roundup/backends/back_metakit.py +++ b/roundup/backends/back_metakit.py @@ -1,4 +1,4 @@ -# $Id: back_metakit.py,v 1.60 2004-02-23 17:19:09 wc2so1 Exp $ +# $Id: back_metakit.py,v 1.61 2004-03-12 05:36:26 richard Exp $ '''Metakit backend for Roundup, originally by Gordon McMillan. Known Current Bugs: @@ -169,6 +169,13 @@ class _Database(hyperdb.Database, roundupdb.Database): self.classes[cl.classname] = cl if self.tables.find(name=cl.classname) < 0: self.tables.append(name=cl.classname) + + # add default Edit and View permissions + self.security.addPermission(name="Edit", klass=cl.classname, + description="User is allowed to edit "+cl.classname) + self.security.addPermission(name="View", klass=cl.classname, + description="User is allowed to access "+cl.classname) + def addjournal(self, tablenm, nodeid, action, params, creator=None, creation=None): ''' Journal the Action diff --git a/roundup/backends/rdbms_common.py b/roundup/backends/rdbms_common.py index 352220f..40b0d24 100644 --- a/roundup/backends/rdbms_common.py +++ b/roundup/backends/rdbms_common.py @@ -1,4 +1,4 @@ -# $Id: rdbms_common.py,v 1.77 2004-03-12 04:08:59 richard Exp $ +# $Id: rdbms_common.py,v 1.78 2004-03-12 05:36:26 richard Exp $ ''' Relational database (SQL) backend common code. Basics: @@ -509,6 +509,12 @@ class Database(FileStorage, hyperdb.Database, roundupdb.Database): raise ValueError, cn self.classes[cn] = cl + # add default Edit and View permissions + self.security.addPermission(name="Edit", klass=cn, + description="User is allowed to edit "+cn) + self.security.addPermission(name="View", klass=cn, + description="User is allowed to access "+cn) + def getclasses(self): ''' Return a list of the names of all existing classes. ''' diff --git a/templates/classic/dbinit.py b/templates/classic/dbinit.py index 83e9386..9ed4040 100644 --- a/templates/classic/dbinit.py +++ b/templates/classic/dbinit.py @@ -15,7 +15,7 @@ # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE, # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. # -# $Id: dbinit.py,v 1.3 2004-01-19 23:57:47 richard Exp $ +# $Id: dbinit.py,v 1.4 2004-03-12 05:36:26 richard Exp $ import os @@ -98,13 +98,6 @@ def open(name=None): # # See the configuration and customisation document for information # about security setup. - # Add new Permissions for this schema - for cl in 'issue', 'file', 'msg', 'user', 'query', 'keyword': - db.security.addPermission(name="Edit", klass=cl, - description="User is allowed to edit "+cl) - db.security.addPermission(name="View", klass=cl, - description="User is allowed to access "+cl) - # Assign the access and edit Permissions for issue, file and message # to regular users now for cl in 'issue', 'file', 'msg', 'query', 'keyword': @@ -112,6 +105,8 @@ def open(name=None): db.security.addPermissionToRole('User', p) p = db.security.getPermission('Edit', cl) db.security.addPermissionToRole('User', p) + for cl in 'priority', 'status': + p = db.security.getPermission('View', cl) # and give the regular users access to the web and email interface p = db.security.getPermission('Web Access') diff --git a/templates/minimal/dbinit.py b/templates/minimal/dbinit.py index b1fb6a4..2b1a63f 100644 --- a/templates/minimal/dbinit.py +++ b/templates/minimal/dbinit.py @@ -15,7 +15,7 @@ # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE, # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. # -# $Id: dbinit.py,v 1.1 2003-04-17 03:27:27 richard Exp $ +# $Id: dbinit.py,v 1.2 2004-03-12 05:36:26 richard Exp $ import os @@ -49,13 +49,6 @@ def open(name=None): # # SECURITY SETTINGS # - # new permissions for this schema - for cl in ('user', ): - db.security.addPermission(name="Edit", klass=cl, - description="User is allowed to edit "+cl) - db.security.addPermission(name="View", klass=cl, - description="User is allowed to access "+cl) - # and give the regular users access to the web and email interface p = db.security.getPermission('Web Access') db.security.addPermissionToRole('User', p) -- 2.30.2