Buncha stuff (sorry about the large checkin):

- Permissions may now be defined on a per-property basis
- added "Create" Permission. Replaces the "Web"- and "Email Registration"
  Permissions.
- added option to turn off registration confirmation via email
  ("instant_registration" in config)

Migrated the user edit/view permission to use check code.

Fixed a buncha stuff in the default templates. Needs a thorough review
though.

Author: Richard Jones

CHANGES.txt

@@ -17,6 +17,13 @@ Feature:
 - roundup-server options -g and -u accept both ids and names (sf bug 983769)
 - roundup-server now has a configuration file (-C option)
 - added mod_python interface (see installation.txt)
+- reorganised tracker configuration, using ConfigParser config, cleaned-up
+  schema definition and implementing easier extension writing (sf rfe 661301)
+- Permissions may now be defined on a per-property basis
+- added "Create" Permission. Replaces the "Web"- and "Email Registration"
+  Permissions.
+- added option to turn off registration confirmation via email
+  ("instant_registration" in config) (sf rfe 922209)
 
 
 2004-??-?? 0.7.7

demo.py

@@ -2,7 +2,7 @@
 #
 # Copyright (c) 2003 Richard Jones ([email protected])
 #
-# $Id: demo.py,v 1.15 2004-07-27 11:36:01 a1s Exp $
+# $Id: demo.py,v 1.16 2004-07-28 02:29:45 richard Exp $
 
 import sys, os, string, re, urlparse, ConfigParser
 import shutil, socket, errno, BaseHTTPServer
@@ -59,6 +59,7 @@ def install_demo(home, backend):
     config['TRACKER_WEB'] = 'http://%s:%s/demo/'%(hostname, port)
 
     # write the config
+    config['INSTANT_REGISTRATION'] = 1
     config.save()
 
     # open the tracker and initialise

roundup/backends/back_anydbm.py

@@ -15,7 +15,7 @@
 # BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE,
 # SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
 # 
-#$Id: back_anydbm.py,v 1.169 2004-07-27 04:28:39 richard Exp $
+#$Id: back_anydbm.py,v 1.170 2004-07-28 02:29:45 richard Exp $
 '''This module defines a backend that saves the hyperdatabase in a
 database chosen by anydbm. It is guaranteed to always be available in python
 versions >2.1.1 (the dumbdbm fallback in 2.1.1 and earlier has several
@@ -144,6 +144,8 @@ def addclass(self, cl):
         self.classes[cn] = cl
 
         # add default Edit and View permissions
+        self.security.addPermission(name="Create", klass=cn,
+            description="User is allowed to create "+cn)
         self.security.addPermission(name="Edit", klass=cn,
             description="User is allowed to edit "+cn)
         self.security.addPermission(name="View", klass=cn,

roundup/backends/back_metakit.py

@@ -1,4 +1,4 @@
-# $Id: back_metakit.py,v 1.82 2004-07-27 00:57:18 richard Exp $
+# $Id: back_metakit.py,v 1.83 2004-07-28 02:29:45 richard Exp $
 '''Metakit backend for Roundup, originally by Gordon McMillan.
 
 Known Current Bugs:
@@ -186,6 +186,8 @@ def addclass(self, cl):
             self.tables.append(name=cl.classname)
 
         # add default Edit and View permissions
+        self.security.addPermission(name="Create", klass=cn,
+            description="User is allowed to create "+cn)
         self.security.addPermission(name="Edit", klass=cl.classname,
             description="User is allowed to edit "+cl.classname)
         self.security.addPermission(name="View", klass=cl.classname,

roundup/backends/rdbms_common.py

@@ -1,4 +1,4 @@
-# $Id: rdbms_common.py,v 1.126 2004-07-27 04:28:39 richard Exp $
+# $Id: rdbms_common.py,v 1.127 2004-07-28 02:29:45 richard Exp $
 ''' Relational database (SQL) backend common code.
 
 Basics:
@@ -607,6 +607,8 @@ def addclass(self, cl):
         self.classes[cn] = cl
 
         # add default Edit and View permissions
+        self.security.addPermission(name="Create", klass=cn,
+            description="User is allowed to create "+cn)
         self.security.addPermission(name="Edit", klass=cn,
             description="User is allowed to edit "+cn)
         self.security.addPermission(name="View", klass=cn,

roundup/cgi/actions.py

@@ -1,4 +1,4 @@
-#$Id: actions.py,v 1.35 2004-07-20 02:07:58 richard Exp $
+#$Id: actions.py,v 1.36 2004-07-28 02:29:45 richard Exp $
 
 import re, cgi, StringIO, urllib, Cookie, time, random
 
@@ -53,10 +53,13 @@ def permission(self):
             raise Unauthorised, self._('You do not have permission to '
                 '%(action)s the %(classname)s class.')%info
 
-    def hasPermission(self, permission):
+    _marker = []
+    def hasPermission(self, permission, classname=_marker):
         """Check whether the user has 'permission' on the current class."""
+        if classname is self._marker:
+            classname = self.client.classname
         return self.db.security.hasPermission(permission, self.client.userid,
-            self.client.classname)
+            classname)
 
     def gettext(self, msgid):
         """Return the localized translation of msgid"""
@@ -314,46 +317,8 @@ def handle(self):
 
         self.client.ok_message.append(self._('Items edited OK'))
 
-class _EditAction(Action):
-    def isEditingSelf(self):
-        """Check whether a user is editing his/her own details."""
-        return (self.nodeid == self.userid
-                and self.db.user.get(self.nodeid, 'username') != 'anonymous')
-
-    def editItemPermission(self, props):
-        """Determine whether the user has permission to edit this item.
-
-        Base behaviour is to check the user can edit this class. If we're
-        editing the "user" class, users are allowed to edit their own details.
-        Unless it's the "roles" property, which requires the special Permission
-        "Web Roles".
-        """
-        if self.classname == 'user':
-            if props.has_key('roles') and not self.hasPermission('Web Roles'):
-                raise Unauthorised, self._(
-                    "You do not have permission to edit user roles")
-            if self.isEditingSelf():
-                return 1
-        if self.hasPermission('Edit'):
-            return 1
-        return 0
-
-    def newItemPermission(self, props):
-        """Determine whether the user has permission to create (edit) this item.
-
-        Base behaviour is to check the user can edit this class. No additional
-        property checks are made. Additionally, new user items may be created
-        if the user has the "Web Registration" Permission.
-
-        """
-        if (self.classname == 'user' and self.hasPermission('Web Registration')
-            or self.hasPermission('Edit')):
-            return 1
-        return 0
-
-    #
-    #  Utility methods for editing
-    #
+class EditCommon:
+    '''Utility methods for editing.'''
     def _editnodes(self, all_props, all_links, newids=None):
         ''' Use the props in all_props to perform edit and creation, then
             use the link specs in all_links to do linking.
@@ -475,7 +440,38 @@ def _createnode(self, cn, props):
         cl = self.db.classes[cn]
         return cl.create(**props)
 
-class EditItemAction(_EditAction):
+    def isEditingSelf(self):
+        """Check whether a user is editing his/her own details."""
+        return (self.nodeid == self.userid
+                and self.db.user.get(self.nodeid, 'username') != 'anonymous')
+
+    def editItemPermission(self, props):
+        """Determine whether the user has permission to edit this item.
+
+        Base behaviour is to check the user can edit this class. If we're
+        editing the "user" class, users are allowed to edit their own details.
+        Unless it's the "roles" property, which requires the special Permission
+        "Web Roles".
+        """
+        if self.classname == 'user':
+            if props.has_key('roles') and not self.hasPermission('Web Roles'):
+                raise Unauthorised, self._(
+                    "You do not have permission to edit user roles")
+            if self.isEditingSelf():
+                return 1
+        if self.hasPermission('Edit'):
+            return 1
+        return 0
+
+    def newItemPermission(self, props):
+        """Determine whether the user has permission to create this item.
+
+        Base behaviour is to check the user can edit this class. No additional
+        property checks are made.
+        """
+        return self.hasPermission('Create', self.classname)
+
+class EditItemAction(EditCommon, Action):
     def lastUserActivity(self):
         if self.form.has_key(':lastactivity'):
             d = date.Date(self.form[':lastactivity'].value)
@@ -539,7 +535,7 @@ def handle(self):
             url += '&' + req.indexargs_href('', {})[1:]
         raise Redirect, url
 
-class NewItemAction(_EditAction):
+class NewItemAction(EditCommon, Action):
     def handle(self):
         ''' Add a new item to the database.
 
@@ -677,28 +673,21 @@ def handle(self):
 
         self.client.ok_message.append(self._('Email sent to %s') % address)
 
-class ConfRegoAction(Action):
-    def handle(self):
-        """Grab the OTK, use it to load up the new user details."""
-        try:
-            # pull the rego information out of the otk database
-            self.userid = self.db.confirm_registration(self.form['otk'].value)
-        except (ValueError, KeyError), message:
-            self.client.error_message.append(str(message))
-            return
-
+class RegoCommon:
+    def finishRego(self):
         # log the new user in
-        self.client.user = self.db.user.get(self.userid, 'username')
+        self.client.userid = self.userid
+        user = self.client.user = self.db.user.get(self.userid, 'username')
         # re-open the database for real, using the user
-        self.client.opendb(self.client.user)
+        self.client.opendb(user)
 
         # if we have a session, update it
-        if hasattr(self, 'session'):
-            self.client.db.sessions.set(self.session, user=self.user,
-                last_use=time.time())
+        if hasattr(self.client, 'session'):
+            self.client.db.getSessionManager().set(self.client.session,
+                user=user, last_use=time.time())
         else:
             # new session cookie
-            self.client.set_cookie(self.user)
+            self.client.set_cookie(user)
 
         # nice message
         message = self._('You are now registered, welcome!')
@@ -713,48 +702,80 @@ def handle(self):
             window.setTimeout('window.location = "%s"', 1000);
             </script>'''%(message, url, message, url)
 
-class RegisterAction(Action):
+class ConfRegoAction(RegoCommon, Action):
+    def handle(self):
+        """Grab the OTK, use it to load up the new user details."""
+        try:
+            # pull the rego information out of the otk database
+            self.userid = self.db.confirm_registration(self.form['otk'].value)
+        except (ValueError, KeyError), message:
+            self.client.error_message.append(str(message))
+            return
+        self.finishRego()
+
+class RegisterAction(RegoCommon, EditCommon, Action):
     name = 'register'
-    permissionType = 'Web Registration'
+    permissionType = 'Create'
 
     def handle(self):
         """Attempt to create a new user based on the contents of the form
         and then set the cookie.
 
         Return 1 on successful login.
         """
-        props = self.client.parsePropsFromForm(create=1)[0][('user', None)]
+        # parse the props from the form
+        try:
+            props, links = self.client.parsePropsFromForm(create=1)
+        except (ValueError, KeyError), message:
+            self.client.error_message.append(self._('Error: %s')
+                % str(message))
+            return
 
         # registration isn't allowed to supply roles
-        if props.has_key('roles'):
+        user_props = props[('user', None)]
+        if user_props.has_key('roles'):
             raise Unauthorised, self._(
                 "It is not permitted to supply roles at registration.")
 
-        username = props['username']
-        try:
-            self.db.user.lookup(username)
-            self.client.error_message.append(self._('Error: A user with the '
-                'username "%(username)s" already exists')%props)
-            return
-        except KeyError:
-            pass
+        # skip the confirmation step?
+        if self.db.config['INSTANT_REGISTRATION']:
+            # handle the create now
+            try:
+                # when it hits the None element, it'll set self.nodeid
+                messages = self._editnodes(props, links)
+            except (ValueError, KeyError, IndexError, exceptions.Reject), \
+                    message:
+                # these errors might just be indicative of user dumbness
+                self.client.error_message.append(_('Error: %s') % str(message))
+                return
+
+            # fix up the initial roles
+            self.db.user.set(self.nodeid,
+                roles=self.db.config['NEW_WEB_USER_ROLES'])
+
+            # commit now that all the tricky stuff is done
+            self.db.commit()
+
+            # finish off by logging the user in
+            self.userid = self.nodeid
+            return self.finishRego()
 
         # generate the one-time-key and store the props for later
         for propname, proptype in self.db.user.getprops().items():
-            value = props.get(propname, None)
+            value = user_props.get(propname, None)
             if value is None:
                 pass
             elif isinstance(proptype, hyperdb.Date):
-                props[propname] = str(value)
+                user_props[propname] = str(value)
             elif isinstance(proptype, hyperdb.Interval):
-                props[propname] = str(value)
+                user_props[propname] = str(value)
             elif isinstance(proptype, hyperdb.Password):
-                props[propname] = str(value)
+                user_props[propname] = str(value)
         otks = self.db.getOTKManager()
         otk = ''.join([random.choice(chars) for x in range(32)])
         while otks.exists(otk):
             otk = ''.join([random.choice(chars) for x in range(32)])
-        otks.set(otk, **props)
+        otks.set(otk, **user_props)
 
         # send the email
         tracker_name = self.db.config.TRACKER_NAME
@@ -771,9 +792,9 @@ def handle(self):
 
 %(url)s?@action=confrego&otk=%(otk)s
 
-""" % {'name': props['username'], 'tracker': tracker_name, 'url': self.base,
-        'otk': otk, 'tracker_email': tracker_email}
-        if not self.client.standard_message([props['address']], subject,
+""" % {'name': user_props['username'], 'tracker': tracker_name,
+        'url': self.base, 'otk': otk, 'tracker_email': tracker_email}
+        if not self.client.standard_message([user_props['address']], subject,
                 body, (tracker_name, tracker_email)):
             return
 

roundup/cgi/client.py

@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.185 2004-07-27 02:30:31 richard Exp $
+# $Id: client.py,v 1.186 2004-07-28 02:29:45 richard Exp $
 
 """WWW request handler (also used in the stand-alone server).
 """
@@ -22,8 +22,6 @@ def initialiseSecurity(security):
     This function is directly invoked by security.Security.__init__()
     as a part of the Security object instantiation.
     '''
-    security.addPermission(name="Web Registration",
-        description="User may register through the web")
     p = security.addPermission(name="Web Access",
         description="User may access the web interface")
     security.addPermissionToRole('Admin', p)
@@ -398,6 +396,9 @@ def determine_user(self):
         # make sure the anonymous user is valid if we're using it
         if user == 'anonymous':
             self.make_user_anonymous()
+            if not self.db.security.hasPermission('Web Access', self.userid):
+                raise Unauthorised, self._("Anonymous users are not "
+                    "allowed to use the web interface")
         else:
             self.user = user