Add search perm and update default perms

rouilj · rouilj · commit 378e8ad5e74c · 2021-08-11T12:45:04.000-04:00
Search permission was not documented. Add that.

Doc of schema permissions had diverged from classic
template. Update from current classic template.
diff --git a/doc/customizing.txt b/doc/customizing.txt
@@ -1694,6 +1694,7 @@ A set of Permissions is built into the security module by default:
 
 - Create (everything)
 - Edit (everything)
+- Search (everything) (used if View does not permit access)
 - View (everything)
 - Register (User class only)
 
@@ -1721,7 +1722,7 @@ also define:
 
 These are hooked into the default Roles:
 
-- Admin (Create, Edit, View and everything; Web Roles)
+- Admin (Create, Edit, Search, View and everything; Web Roles)
 - User (Web Access; Email Access)
 - Anonymous (Web Access)
 
@@ -1760,7 +1761,7 @@ Put together, these settings appear in the tracker's ``schema.py`` file::
 
     # Assign the access and edit Permissions for issue, file and message
     # to regular users now
-    for cl in 'issue', 'file', 'msg', 'query', 'keyword':
+    for cl in 'issue', 'file', 'msg', 'keyword':
         db.security.addPermissionToRole('User', 'View', cl)
         db.security.addPermissionToRole('User', 'Edit', cl)
         db.security.addPermissionToRole('User', 'Create', cl)
@@ -1769,21 +1770,52 @@ Put together, these settings appear in the tracker's ``schema.py`` file::
 
     # May users view other user information? Comment these lines out
     # if you don't want them to
-    db.security.addPermissionToRole('User', 'View', 'user')
+    p = db.security.addPermission(name='View', klass='user', 
+	properties=('id', 'organisation', 'phone', 'realname', 'timezone',
+	'username'))
+    db.security.addPermissionToRole('User', p)
 
-    # Users should be able to edit their own details -- this permission
-    # is limited to only the situation where the Viewed or Edited item
-    # is their own.
+    # Users should be able to edit their own details -- this permission is
+    # limited to only the situation where the Viewed or Edited item is their own.
     def own_record(db, userid, itemid, **ctx):
         '''Determine whether the userid matches the item being accessed.'''
         return userid == itemid
     p = db.security.addPermission(name='View', klass='user', check=own_record,
         description="User is allowed to view their own user details")
     db.security.addPermissionToRole('User', p)
     p = db.security.addPermission(name='Edit', klass='user', check=own_record,
+        properties=('username', 'password', 'address', 'realname', 'phone',
+            'organisation', 'alternate_addresses', 'queries', 'timezone'),
         description="User is allowed to edit their own user details")
     db.security.addPermissionToRole('User', p)
 
+    # Users should be able to edit and view their own queries. They should also
+    # be able to view any marked as not private. They should not be able to
+    # edit others' queries, even if they're not private
+    def view_query(db, userid, itemid):
+	private_for = db.query.get(itemid, 'private_for')
+	if not private_for: return True
+	return userid == private_for
+    def edit_query(db, userid, itemid):
+	return userid == db.query.get(itemid, 'creator')
+    p = db.security.addPermission(name='View', klass='query', check=view_query,
+	description="User is allowed to view their own and public queries")
+    db.security.addPermissionToRole('User', p)
+    p = db.security.addPermission(name='Search', klass='query')
+    db.security.addPermissionToRole('User', p)
+    p = db.security.addPermission(name='Edit', klass='query', check=edit_query,
+	description="User is allowed to edit their queries")
+    db.security.addPermissionToRole('User', p)
+    p = db.security.addPermission(name='Retire', klass='query', check=edit_query,
+	description="User is allowed to retire their queries")
+    db.security.addPermissionToRole('User', p)
+    p = db.security.addPermission(name='Restore', klass='query', check=edit_query,
+	description="User is allowed to restore their queries")
+    db.security.addPermissionToRole('User', p)
+    p = db.security.addPermission(name='Create', klass='query',
+	description="User is allowed to create queries")
+    db.security.addPermissionToRole('User', p)
+
     #
     # ANONYMOUS USER PERMISSIONS
     #
@@ -1802,13 +1834,21 @@ Put together, these settings appear in the tracker's ``schema.py`` file::
     # Assign the appropriate permissions to the anonymous user's Anonymous
     # Role. Choices here are:
     # - Allow anonymous users to register
-    db.security.addPermissionToRole('Anonymous', 'Create', 'user')
+    db.security.addPermissionToRole('Anonymous', 'Register', 'user')
 
     # Allow anonymous users access to view issues (and the related, linked
     # information)
     for cl in 'issue', 'file', 'msg', 'keyword', 'priority', 'status':
         db.security.addPermissionToRole('Anonymous', 'View', cl)
 
+    # Allow the anonymous user to use the "Show Unassigned" search.
+    # It acts like "Show Open" if this permission is not available.
+    # If you are running a tracker that does not allow read access for
+    # anonymous, you should remove this entry as it can be used to perform
+    # a username guessing attack against a roundup install.
+    p = db.security.addPermission(name='Search', klass='user')
+    db.security.addPermissionToRole ('Anonymous', p)
+
     # [OPTIONAL]
     # Allow anonymous users access to create or edit "issue" items (and the
     # related file and message items)
