Provide a method for identifying invalid properties in permissions

issue2551062: roundup-admin security validates all properties in
permissions. It reports invalid properties.

Author: rouilj

CHANGES.txt

@@ -97,7 +97,9 @@ Features:
 - issue2551059: added new values for tx_Source to indicate when /rest
   or /xmlrpc endpoint is being used rather than the normal web
   endpoints. (John Rouillard)
-  
+- issue2551062: roundup-admin security now validates all properties in
+  permissions. It reports invalid properties. (John Rouillard)
+
 Fixed:
 
 - issue2550811: work around Unicode encoding issues in jinja2 template

doc/customizing.txt

@@ -1258,6 +1258,10 @@ Put together, these settings appear in the tracker's ``schema.py`` file::
     #   db.security.addPermissionToRole('Anonymous', 'Create', cl)
     #   db.security.addPermissionToRole('Anonymous', 'Edit', cl)
 
+You can use ``roundup-admin security`` to verify the permissions
+defined in the schema. It also verifies that properties specified in
+permissions are valid for the class. This helps detect typos that can
+cause baffling permission issues.
 
 Automatic Permission Checks
 ---------------------------
@@ -1344,6 +1348,15 @@ The ``addPermission`` method takes a few optional parameters:
   including properties would be used only for determining the
   access permission for those properties.
 
+  ``roundup-admin security`` will report invalid properties for the
+  class. For example a permission with an invalid summary property is
+  presented as::
+
+     Allowed to see content of object regardless of spam status
+        (View for "file": ('content', 'summary') only)
+
+     **Invalid properties for file: ['summary']
+
   Setting ``props_only=True`` will make the permission valid only for
   those properties.
 

roundup/admin.py

@@ -1446,6 +1446,17 @@ def do_security(self, args):
                     if permission.properties:
                         sys.stdout.write( _(' %(description)s (%(name)s for "%(klass)s"' +
                           ': %(properties)s only)\n')%d )
+                        # verify that properties exist; report bad props
+                        bad_props=[]
+                        cl = self.db.getclass(permission.klass)
+                        class_props = cl.getprops(protected=True)
+                        for p in permission.properties:
+                            if p in class_props:
+                                continue
+                            else:
+                                bad_props.append(p)
+                        if bad_props:
+                            sys.stdout.write( _('\n  **Invalid properties for %(class)s: %(props)s\n\n') % { "class": permission.klass, "props": bad_props })
                     else:
                         sys.stdout.write( _(' %(description)s (%(name)s for "%(klass)s" ' +
                             'only)\n')%d )