security fixes and doc updates

Richard Jones · Richard Jones · commit 09c9a42c8e68 · 2004-03-12T05:36:26.000Z
diff --git a/doc/customizing.txt b/doc/customizing.txt
@@ -2,7 +2,7 @@
 Customising Roundup
 ===================
 
-:Version: $Revision: 1.118 $
+:Version: $Revision: 1.119 $
 
 .. This document borrows from the ZopeBook section on ZPT. The original is at:
    http://www.zope.org/Documentation/Books/ZopeBook/current/ZPT.stx
@@ -613,6 +613,9 @@ A set of Permissions is built into the security module by default:
 - Edit (everything)
 - View (everything)
 
+Every Class you define in your tracker's schema also gets an Edit and View
+Permission of its own.
+
 The default interfaces define:
 
 - Web Registration
@@ -643,13 +646,6 @@ settings appear in the ``open()`` function of the tracker ``dbinit.py``
     #
     # SECURITY SETTINGS
     #
-    # new permissions for this schema
-    for cl in ('user', ):
-        db.security.addPermission(name="Edit", klass=cl,
-            description="User is allowed to edit "+cl)
-        db.security.addPermission(name="View", klass=cl,
-            description="User is allowed to access "+cl)
-
     # and give the regular users access to the web and email interface
     p = db.security.getPermission('Web Access')
     db.security.addPermissionToRole('User', p)
@@ -697,7 +693,13 @@ Adding a new Permission
 
 When adding a new Permission, you will need to:
 
-1. add it to your tracker's dbinit so it is created
+1. add it to your tracker's dbinit so it is created, using
+   ``security.addPermission``, for example::
+
+    self.security.addPermission(name="View", klass='frozzle',
+        description="User is allowed to access frozzles")
+
+   will set up a new "View" permission on the Class "frozzle".
 2. enable it for the Roles that should have it (verify with
    "``roundup-admin security``")
 3. add it to the relevant HTML interface templates
diff --git a/doc/upgrading.txt b/doc/upgrading.txt
@@ -11,6 +11,47 @@ accordingly. Note that there is information about upgrade procedures in the
 Migrating from 0.6 to 0.7
 =========================
 
+0.7.0 Permission setup
+----------------------
+
+0.7 automatically sets up the Edit and View Permissions for all classes,
+thus you don't need to do so. Feel free to remove the code::
+
+    # Add new Permissions for this schema
+    for cl in 'issue', 'file', 'msg', 'user', 'query', 'keyword':
+        db.security.addPermission(name="Edit", klass=cl,
+            description="User is allowed to edit "+cl)
+        db.security.addPermission(name="View", klass=cl,
+            description="User is allowed to access "+cl)
+
+from your ``dbinit.py``.
+
+
+0.7.0 Permission assignments
+----------------------------
+
+Due to a change in the rendering of web widgets, permissions are now
+checked on Classes where they previously weren't (this is a good thing).
+
+You will need to add some additional Permission assignments for your
+regular users, or some displays will break. After the following in your 
+tracker's ``dbinit.py``::
+
+    # Assign the access and edit Permissions for issue, file and message
+    # to regular users now
+    for cl in 'issue', 'file', 'msg', 'query', 'keyword':
+        p = db.security.getPermission('View', cl)
+        db.security.addPermissionToRole('User', p)
+        p = db.security.getPermission('Edit', cl)
+        db.security.addPermissionToRole('User', p)
+
+add::
+
+    for cl in 'priority', 'status':
+        p = db.security.getPermission('View', cl)
+        db.security.addPermissionToRole('User', p)
+
+
 0.7.0 Extending the cgi interface
 ---------------------------------
 
@@ -24,6 +65,7 @@ password validation source`__ example.
 __ customizing.html#defining-new-web-actions
 __ customizing.html#using-an-external-password-validation-source
 
+
 0.7.0 Getting the current user id
 ---------------------------------
 
diff --git a/roundup/backends/back_anydbm.py b/roundup/backends/back_anydbm.py
@@ -15,7 +15,7 @@
 # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE,
 # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
 # 
-#$Id: back_anydbm.py,v 1.135 2004-02-11 23:55:08 richard Exp $
+#$Id: back_anydbm.py,v 1.136 2004-03-12 05:36:26 richard Exp $
 '''This module defines a backend that saves the hyperdatabase in a
 database chosen by anydbm. It is guaranteed to always be available in python
 versions >2.1.1 (the dumbdbm fallback in 2.1.1 and earlier has several
@@ -131,6 +131,12 @@ def addclass(self, cl):
             raise ValueError, cn
         self.classes[cn] = cl
 
+        # add default Edit and View permissions
+        self.security.addPermission(name="Edit", klass=cn,
+            description="User is allowed to edit "+cn)
+        self.security.addPermission(name="View", klass=cn,
+            description="User is allowed to access "+cn)
+
     def getclasses(self):
         '''Return a list of the names of all existing classes.'''
         if __debug__:
diff --git a/roundup/backends/back_metakit.py b/roundup/backends/back_metakit.py
@@ -1,4 +1,4 @@
-# $Id: back_metakit.py,v 1.60 2004-02-23 17:19:09 wc2so1 Exp $
+# $Id: back_metakit.py,v 1.61 2004-03-12 05:36:26 richard Exp $
 '''Metakit backend for Roundup, originally by Gordon McMillan.
 
 Known Current Bugs:
@@ -169,6 +169,13 @@ def addclass(self, cl):
         self.classes[cl.classname] = cl
         if self.tables.find(name=cl.classname) < 0:
             self.tables.append(name=cl.classname)
+
+        # add default Edit and View permissions
+        self.security.addPermission(name="Edit", klass=cl.classname,
+            description="User is allowed to edit "+cl.classname)
+        self.security.addPermission(name="View", klass=cl.classname,
+            description="User is allowed to access "+cl.classname)
+
     def addjournal(self, tablenm, nodeid, action, params, creator=None,
                    creation=None):
         ''' Journal the Action
diff --git a/roundup/backends/rdbms_common.py b/roundup/backends/rdbms_common.py
@@ -1,4 +1,4 @@
-# $Id: rdbms_common.py,v 1.77 2004-03-12 04:08:59 richard Exp $
+# $Id: rdbms_common.py,v 1.78 2004-03-12 05:36:26 richard Exp $
 ''' Relational database (SQL) backend common code.
 
 Basics:
@@ -509,6 +509,12 @@ def addclass(self, cl):
             raise ValueError, cn
         self.classes[cn] = cl
 
+        # add default Edit and View permissions
+        self.security.addPermission(name="Edit", klass=cn,
+            description="User is allowed to edit "+cn)
+        self.security.addPermission(name="View", klass=cn,
+            description="User is allowed to access "+cn)
+
     def getclasses(self):
         ''' Return a list of the names of all existing classes.
         '''
diff --git a/templates/classic/dbinit.py b/templates/classic/dbinit.py
@@ -15,7 +15,7 @@
 # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE,
 # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
 # 
-# $Id: dbinit.py,v 1.3 2004-01-19 23:57:47 richard Exp $
+# $Id: dbinit.py,v 1.4 2004-03-12 05:36:26 richard Exp $
 
 import os
 
@@ -98,20 +98,15 @@ def open(name=None):
     #
     # See the configuration and customisation document for information
     # about security setup.
-    # Add new Permissions for this schema
-    for cl in 'issue', 'file', 'msg', 'user', 'query', 'keyword':
-        db.security.addPermission(name="Edit", klass=cl,
-            description="User is allowed to edit "+cl)
-        db.security.addPermission(name="View", klass=cl,
-            description="User is allowed to access "+cl)
-
     # Assign the access and edit Permissions for issue, file and message
     # to regular users now
     for cl in 'issue', 'file', 'msg', 'query', 'keyword':
         p = db.security.getPermission('View', cl)
         db.security.addPermissionToRole('User', p)
         p = db.security.getPermission('Edit', cl)
         db.security.addPermissionToRole('User', p)
+    for cl in 'priority', 'status':
+        p = db.security.getPermission('View', cl)
 
     # and give the regular users access to the web and email interface
     p = db.security.getPermission('Web Access')
diff --git a/templates/minimal/dbinit.py b/templates/minimal/dbinit.py
@@ -15,7 +15,7 @@
 # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE,
 # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
 # 
-# $Id: dbinit.py,v 1.1 2003-04-17 03:27:27 richard Exp $
+# $Id: dbinit.py,v 1.2 2004-03-12 05:36:26 richard Exp $
 
 import os
 
@@ -49,13 +49,6 @@ def open(name=None):
     #
     # SECURITY SETTINGS
     #
-    # new permissions for this schema
-    for cl in ('user', ):
-        db.security.addPermission(name="Edit", klass=cl,
-            description="User is allowed to edit "+cl)
-        db.security.addPermission(name="View", klass=cl,
-            description="User is allowed to access "+cl)
-
     # and give the regular users access to the web and email interface
     p = db.security.getPermission('Web Access')
     db.security.addPermissionToRole('User', p)
