issue2550855: added search perms for anonymous to the user class.

This lets the "show unassigned" search work for anonymous.
Patch by Stuart McGraw.

Added warning to upgrading.txt and a comment block before the schema
change in every template tracker except minimal (doesn't have the
search).

Author: rouilj

CHANGES.txt

@@ -195,6 +195,13 @@ Fixed:
   porter stemmer will work. This means capitalization is not
   preserved. Fix done by David Wolever (wolever). Committed and doc
   updates John Rouillard.
+- issue2550855: "show unassigned" link shows all open issues if not
+  logged in. This adds permission for the anonymous user to search
+  the users class. Without this the unassigned search can't see if
+  there is a user assigned to an issue, so it acts like all open
+  issues. Patch supplied by Stuart McGraw (smcgraw). For caveats
+  see ``upgrading.txt`` and the comments in the default templates.
+  (Docs created and applcation by John Rouillard)
 
 2016-01-11: 1.5.1
 

doc/upgrading.txt

@@ -118,6 +118,19 @@ If your deployed tracker is based on: classic, minimal, responsive or
 devel templates and has not changed the html/_generic.404.html file,
 you can copy in the new file to get this additional functionality.
 
+Schema change to allow "Show Unassigned" issues link to work for Anonymous user
+-------------------------------------------------------------------------------
+
+In this release the anonymous user is allowed to search the user
+class. The following was added to the schema for all templates that
+provide the search option::
+
+   p = db.security.addPermission(name='Search', klass='user')
+   db.security.addPermissionToRole ('Anonymous', p)
+
+If you are running a tracker that **does not** allow read access for
+anonymous, you should remove this entry as it can be used to perform
+a username guessing attack against a roundup install.
 
 Migrating from 1.5.0 to 1.5.1
 =============================

share/roundup/templates/classic/schema.py

@@ -170,6 +170,14 @@ def edit_query(db, userid, itemid):
 for cl in 'issue', 'file', 'msg', 'keyword', 'priority', 'status':
     db.security.addPermissionToRole('Anonymous', 'View', cl)
 
+# Allow the anonymous user to use the "Show Unassigned" search.
+# It acts like "Show Open" if this permission is not available.
+# If you are running a tracker that does not allow read access for
+# anonymous, you should remove this entry as it can be used to perform
+# a username guessing attack against a roundup install.
+p = db.security.addPermission(name='Search', klass='user')
+db.security.addPermissionToRole ('Anonymous', p)
+
 # [OPTIONAL]
 # Allow anonymous users access to create or edit "issue" items (and the
 # related file and message items)

share/roundup/templates/devel/schema.py

@@ -377,6 +377,14 @@ def edit_query(db, userid, itemid):
 for cl in 'bug', 'severity', 'status', 'resolution', 'msg', 'file':
     db.security.addPermissionToRole('Anonymous', 'View', cl)
 
+# Allow the anonymous user to use the "Show Unassigned" search.
+# It acts like "Show Open" if this permission is not available.
+# If you are running a tracker that does not allow read access for
+# anonymous, you should remove this entry as it can be used to perform
+# a username guessing attack against a roundup install.
+p = db.security.addPermission(name='Search', klass='user')
+db.security.addPermissionToRole ('Anonymous', p)
+
 # [OPTIONAL]
 # Allow anonymous users access to create or edit "issue" items (and the
 # related file and message items)

share/roundup/templates/jinja2/schema.py

@@ -170,6 +170,14 @@ def edit_query(db, userid, itemid):
 for cl in 'issue', 'file', 'msg', 'keyword', 'priority', 'status':
     db.security.addPermissionToRole('Anonymous', 'View', cl)
 
+# Allow the anonymous user to use the "Show Unassigned" search.
+# It acts like "Show Open" if this permission is not available.
+# If you are running a tracker that does not allow read access for
+# anonymous, you should remove this entry as it can be used to perform
+# a username guessing attack against a roundup install.
+p = db.security.addPermission(name='Search', klass='user')
+db.security.addPermissionToRole ('Anonymous', p)
+
 # [OPTIONAL]
 # Allow anonymous users access to create or edit "issue" items (and the
 # related file and message items)

share/roundup/templates/responsive/schema.py

@@ -376,6 +376,14 @@ def edit_query(db, userid, itemid):
 for cl in 'bug', 'severity', 'status', 'resolution', 'msg', 'file':
     db.security.addPermissionToRole('Anonymous', 'View', cl)
 
+# Allow the anonymous user to use the "Show Unassigned" search.
+# It acts like "Show Open" if this permission is not available.
+# If you are running a tracker that does not allow read access for
+# anonymous, you should remove this entry as it can be used to perform
+# a username guessing attack against a roundup install.
+p = db.security.addPermission(name='Search', klass='user')
+db.security.addPermissionToRole ('Anonymous', p)
+
 # [OPTIONAL]
 # Allow anonymous users access to create or edit "issue" items (and the
 # related file and message items)