From 8db4181e31557c3df805d5b46966a85dd1f960ae Mon Sep 17 00:00:00 2001 From: richard Date: Tue, 24 Jun 2003 04:16:35 +0000 Subject: [PATCH] audit some user properties for valid values (roles, address) (sf bugs 742968 and 739653) git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/trunk@1759 57a73879-2fb5-44c3-a270-3262357dd7e2 --- CHANGES.txt | 2 + roundup/cgi/client.py | 15 +- templates/classic/detectors/userauditor.py | 45 ++++ templates/classic/html/issue.search.html | 260 ++++++++++----------- templates/classic/html/page.html | 34 +++ templates/minimal/detectors/userauditor.py | 45 ++++ 6 files changed, 262 insertions(+), 139 deletions(-) create mode 100644 templates/classic/detectors/userauditor.py create mode 100644 templates/minimal/detectors/userauditor.py diff --git a/CHANGES.txt b/CHANGES.txt index 4f501b1..4a2fa65 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -8,6 +8,8 @@ are given with the most recent entry first. - handle New User creation (sf bug 754510) - fix hackish message escaping (sf bug 757128) - fix :required ordering problem (sf bug 740214) +- audit some user properties for valid values (roles, address) (sf bugs + 742968 and 739653) 2003-06-10 0.6.0b3 diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py index 09f866d..3c7e9f0 100644 --- a/roundup/cgi/client.py +++ b/roundup/cgi/client.py @@ -1,4 +1,4 @@ -# $Id: client.py,v 1.122 2003-06-24 03:58:57 richard Exp $ +# $Id: client.py,v 1.123 2003-06-24 04:16:35 richard Exp $ __doc__ = """ WWW request handler (also used in the stand-alone server). @@ -1598,7 +1598,8 @@ You should then receive another email with the new password. # we'll store info about the individual class/item edit in these all_required = {} # required props per class/item - all_props = {} # props present per class/item + all_props = {} # props to set per class/item + got_props = {} # props received per class/item all_propdef = {} # note - only one entry per class all_links = [] # as many as are required @@ -1662,6 +1663,8 @@ You should then receive another email with the new password. if not all_props.has_key(this): all_props[this] = {} props = all_props[this] + if not got_props.has_key(this): + got_props[this] = {} # is this a link command? if d['link']: @@ -1866,6 +1869,10 @@ You should then receive another email with the new password. raise ValueError, _('Error with %s property: %s')%( propname, msg) + # register that we got this property + if value: + got_props[this][propname] = 1 + # get the old value if nodeid and not nodeid.startswith('-'): try: @@ -1914,9 +1921,9 @@ You should then receive another email with the new password. s = [] for thing, required in all_required.items(): # register the values we got - got = all_props.get(thing, {}) + got = got_props.get(thing, {}) for entry in required[:]: - if got.get(entry, ''): + if got.has_key(entry): required.remove(entry) # any required values not present? diff --git a/templates/classic/detectors/userauditor.py b/templates/classic/detectors/userauditor.py new file mode 100644 index 0000000..6d40d45 --- /dev/null +++ b/templates/classic/detectors/userauditor.py @@ -0,0 +1,45 @@ +# Copyright (c) 2003 Richard Jones (richard@mechanicalcat.net) +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. +# +#$Id: userauditor.py,v 1.1 2003-06-24 04:16:35 richard Exp $ + +def audit_user_fields(db, cl, nodeid, newvalues): + ''' Make sure user properties are valid. + + - email address has no spaces in it + - roles specified exist + ''' + if newvalues.has_key('address') and ' ' in newvalues['address']: + raise ValueError, 'Email address must not contain spaces' + + if newvalues.has_key('roles'): + roles = [x.lower().strip() for x in newvalues['roles'].split(',')] + for rolename in roles: + if not db.security.role.has_key(rolename): + raise ValueError, 'Role "%s" does not exist'%rolename + + +def init(db): + # fire before changes are made + db.user.audit('set', audit_user_fields) + db.user.audit('create', audit_user_fields) + +# vim: set filetype=python ts=4 sw=4 et si +#SHA: d4aea7465d4b7ca78de71ed9e73e09ce29b1b111 diff --git a/templates/classic/html/issue.search.html b/templates/classic/html/issue.search.html index 4f9112d..24563be 100644 --- a/templates/classic/html/issue.search.html +++ b/templates/classic/html/issue.search.html @@ -9,10 +9,15 @@ + cols python:request.columns or 'id activity title status assignedto'.split(); + sort_on python:request.sort[1] or 'activity'; + group_on python:request.group[1] or 'priority'; + + search_input templates/page/macros/search_input; + column_input templates/page/macros/column_input; + sort_input templates/page/macros/sort_input; + group_input templates/page/macros/group_input; + search_select templates/page/macros/search_select;"> @@ -22,159 +27,144 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - + - + - - - - - + tal:attributes="value request/form/:queryname/value | default"> diff --git a/templates/classic/html/page.html b/templates/classic/html/page.html index 64b0116..ee9a503 100644 --- a/templates/classic/html/page.html +++ b/templates/classic/html/page.html @@ -107,3 +107,37 @@ + + + + + + + + + +
 Group on
All text*: -    
Title: 
Topic: - -
ID: 
Creation date:
Creator: - -
Activity: 
Priority: - -
Status: - -
Assigned To: - -
All text*:   
Title: 
Topic:
ID: 
Creation Date:
Creator: + +
Activity: 
Priority: + +
Status: + + + + +
Assigned to: + + + + +
Pagesize:
Start With:
Sort Descending: +
Group Descending: +
Query name**: -
 
  + + + + + + + + + diff --git a/templates/minimal/detectors/userauditor.py b/templates/minimal/detectors/userauditor.py new file mode 100644 index 0000000..6d40d45 --- /dev/null +++ b/templates/minimal/detectors/userauditor.py @@ -0,0 +1,45 @@ +# Copyright (c) 2003 Richard Jones (richard@mechanicalcat.net) +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. +# +#$Id: userauditor.py,v 1.1 2003-06-24 04:16:35 richard Exp $ + +def audit_user_fields(db, cl, nodeid, newvalues): + ''' Make sure user properties are valid. + + - email address has no spaces in it + - roles specified exist + ''' + if newvalues.has_key('address') and ' ' in newvalues['address']: + raise ValueError, 'Email address must not contain spaces' + + if newvalues.has_key('roles'): + roles = [x.lower().strip() for x in newvalues['roles'].split(',')] + for rolename in roles: + if not db.security.role.has_key(rolename): + raise ValueError, 'Role "%s" does not exist'%rolename + + +def init(db): + # fire before changes are made + db.user.audit('set', audit_user_fields) + db.user.audit('create', audit_user_fields) + +# vim: set filetype=python ts=4 sw=4 et si +#SHA: d4aea7465d4b7ca78de71ed9e73e09ce29b1b111 -- 2.30.2