Roundup Tracker - Issues

Issue 2550903

classification
Title: Unable to change(save) user details on http://issues.roundup-tracker.org
Type: Severity: major
Components: Infrastructure Versions:
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: ber, pefu, rouilj, schlatterbeck, techtonik, thomas_ah
Priority: Keywords:

Created on 2016-02-25 15:56 by pefu, last changed 2017-07-31 10:53 by pefu.

Messages
msg5475 Author: [hidden] (pefu) Date: 2016-02-25 15:56
This a copy of issue 2550861 because the restricted permissions here 
might be related to the still unencrypted operation of 
issues.roundup-tracker.org

So what is the problem: I wanted to add my company email account to
the list of alternate email addresses of my user account here on this
tracker.  This was denied when clicking submit changes.

Regards, Peter
msg5483 Author: [hidden] (pefu) Date: 2016-03-04 09:18
I still get the message "You have not permission to edit user" if I want
the change my Details (Alterate Adresses, Phone, ...)
msg5485 Author: [hidden] (ber) Date: 2016-03-04 14:09
I don't think that the access over http is limiting your
ability to change your values. Somebody would need to inquire.
(However for the next days, this is unlikely to be me.)
msg5486 Author: [hidden] (pefu) Date: 2016-03-04 14:52
@ber: Thanks nevertheless.  
It seems to be a problem with the configuration of this particular
tracker instance.  Is someone out there who could have a look into this?

Thanks in advance, Peter
msg5487 Author: [hidden] (pefu) Date: 2016-03-04 15:06
If it helps: I was able to edit my details in the "meta" Tracker (
psf.upfronthosting.co.za/roundup/meta ), but not here and not on
bugs.python.org . So it seems to be a more general problem with
permissions and roles.
msg5489 Author: [hidden] (pefu) Date: 2016-03-09 14:56
Does anyone know what version of Roundup is running the tracker 
instance at http://psf.upfronthosting.co.za/roundup/meta ?
msg5493 Author: [hidden] (ber) Date: 2016-03-10 08:49
I could find out, usually it is a recent version.
msg5749 Author: [hidden] (rouilj) Date: 2016-07-04 20:48
Hmm the schema looks right *I am looking in hg:website/issues/schema.py.

Pefu has both User an Developer roles.

# Users should be able to edit their own details -- this permission is
# limited to only the situation where the Viewed or Edited item is their
own.
def own_record(db, userid, itemid):
    '''Determine whether the userid matches the item being accessed.'''
    return userid == itemid
p = db.security.addPermission(name='View', klass='user', check=own_record,
    description="User is allowed to view their own user details")
for r in 'User', 'Developer', 'Coordinator':
    db.security.addPermissionToRole(r, p)
p = db.security.addPermission(name='Edit', klass='user', check=own_record,
    description="User is allowed to edit their own user details",
    properties=('username', 'password',
                'address', 'realname',
                'phone', 'organization',
                'alternate_addresses',
                'queries',
                'timezone')) # Note: 'roles' excluded - users should not
be able to edit their own roles.
for r in 'User', 'Developer':
    db.security.addPermissionToRole(r, p)

Bern, Ralf ideas?
msg5756 Author: [hidden] (pefu) Date: 2016-07-05 08:21
Dear John,

Thanks for spending your time on this.  BTW: is the schema.py of the
Python bug tracker http://bugs.python.org/ available for reference?

I just made a quick test and the behaviour of http://bugs.python.org/
has changed since I wrote msg5487 back in march this year:
I was now able to edit my user record there in 
http://bugs.python.org/user?@startwith=134&@pagesize=1

But still no luck here : "You do not have permission to edit user".

Regards, Peter.
msg5758 Author: [hidden] (schlatterbeck) Date: 2016-07-05 08:34
On Tue, Jul 05, 2016 at 08:21:44AM +0000, Peter Funk wrote:
> 
> I just made a quick test and the behaviour of http://bugs.python.org/
> has changed since I wrote msg5487 back in march this year:
> I was now able to edit my user record there in 
> http://bugs.python.org/user?@startwith=134&@pagesize=1
> 
> But still no luck here : "You do not have permission to edit user".

OK: 
- bugs.python.org works
- but http://issues.roundup-tracker.org doesn't

On Mon, Jul 04, 2016 at 08:48:31PM +0000, John Rouillard wrote:
> Hmm the schema looks right *I am looking in hg:website/issues/schema.py.
> 
> Pefu has both User an Developer roles.
> 
> # Users should be able to edit their own details -- this permission is
> # limited to only the situation where the Viewed or Edited item is their
> own.
> def own_record(db, userid, itemid):
>     '''Determine whether the userid matches the item being accessed.'''
>     return userid == itemid
> p = db.security.addPermission(name='View', klass='user', check=own_record,
>     description="User is allowed to view their own user details")
> for r in 'User', 'Developer', 'Coordinator':
>     db.security.addPermissionToRole(r, p)
> p = db.security.addPermission(name='Edit', klass='user', check=own_record,
>     description="User is allowed to edit their own user details",
>     properties=('username', 'password',
>                 'address', 'realname',
>                 'phone', 'organization',
>                 'alternate_addresses',
>                 'queries',
>                 'timezone')) # Note: 'roles' excluded - users should not
> be able to edit their own roles.
> for r in 'User', 'Developer':
>     db.security.addPermissionToRole(r, p)
> 
> Bern, Ralf ideas?

Looks right to me.
Maybe the version running the tracker is not the latest?

Ralf
msg5759 Author: [hidden] (rouilj) Date: 2016-07-05 12:10
Hi Peter:

In message
<1467706903.98.0.485533796628.issue2550903@psf.upfronthosting.co.za>,
Peter Funk writes:
>
>Thanks for spending your time on this.  BTW: is the schema.py of the
>Python bug tracker http://bugs.python.org/ available for reference?

>
>I just made a quick test and the behaviour of http://bugs.python.org/
>has changed since I wrote msg5487 back in march this year:

I have been reading though their meta tracker and I think they said it
was available.

I used google to search for "python.org meta tracker" and the first hit was 

  https://wiki.python.org/moin/TrackerDocs

which lead to:

  https://wiki.python.org/moin/TrackerDevelopment

which references:

   http://hg.python.org/tracker/ 

and we have:

  https://hg.python.org/tracker/python-dev/file/tip/schema.py

last updated 

    Thu, 31 Mar 2016 19:53:14 +0300

(so it has changed since you posted) which says:

p = db.security.addPermission(name='Edit', klass='user', check=own_record,
    description="User is allowed to edit their own user details",
    properties=('username', 'password',
                'address', 'realname',
                'phone', 'organisation',
                'alternate_addresses',
                'queries', 'timezone',
                'homepage', 'github'))
                # Note: 'roles' excluded - users should not be able to edit their own roles.
                # Also excluded: contrib_form, contrib_form_date, iscommitter

for r in 'User', 'Developer':
    db.security.addPermissionToRole(r, p)

But the last change had nothing to do with those settings. However a
restart to load the new schema may have changed something.

Ralf, if you have to log in there can you update the style.css from
mercurial. I put in a couple of fixes to close out an issue.
msg5981 Author: [hidden] (rouilj) Date: 2017-05-29 02:11
Pefu, has this been fixed or is it still an issue?

-- rouilj
msg5996 Author: [hidden] (rouilj) Date: 2017-07-29 01:13
Peter are you still unable to change your user settings?

-- rouilj
msg5998 Author: [hidden] (pefu) Date: 2017-07-31 10:53
John Rouillard wrote two days ago, 29.07.2017 01:13:
> Peter are you still unable to change your user settings?

I was able to change my alternate E-Mail addresses and the timezone.
But I was not allowed to enter my Organisation and Phone number.

And furthermore (but probably unrelated): When trying to access 
https://issues.roundup-tracker.org the certificate belongs to 
bugs.python.org.  So I had to use HTTP to login which means
my password for issues.roundup-tracker.org travels over the
internet unencrypted which is so 90s ☺

Best regards, Peter Funk
History
Date User Action Args
2017-07-31 10:53:10pefusetmessages: + msg5998
2017-07-29 01:13:34rouiljsetmessages: + msg5996
2017-05-29 02:12:00rouiljsetstatus: new -> open
messages: + msg5981
2016-07-05 12:10:57rouiljsetmessages: + msg5759
2016-07-05 08:34:20schlatterbecksetmessages: + msg5758
2016-07-05 08:21:43pefusetmessages: + msg5756
2016-07-04 20:48:31rouiljsetnosy: + schlatterbeck, rouilj
messages: + msg5749
2016-03-10 08:49:09bersetmessages: + msg5493
2016-03-09 14:56:09pefusetmessages: + msg5489
2016-03-04 15:06:38pefusetmessages: + msg5487
2016-03-04 14:52:01pefusetmessages: + msg5486
2016-03-04 14:09:40bersetassignee: ber ->
messages: + msg5485
2016-03-04 09:18:50pefusetassignee: ber
messages: + msg5483
2016-02-25 15:56:41pefucreate