This a copy of issue 2550861 because the restricted permissions here 
might be related to the still unencrypted operation of 
issues.roundup-tracker.org

So what is the problem: I wanted to add my company email account to
the list of alternate email addresses of my user account here on this
tracker.  This was denied when clicking submit changes.

Regards, Peter

I still get the message "You have not permission to edit user" if I want
the change my Details (Alterate Adresses, Phone, ...)

I don't think that the access over http is limiting your
ability to change your values. Somebody would need to inquire.
(However for the next days, this is unlikely to be me.)

@ber: Thanks nevertheless.  
It seems to be a problem with the configuration of this particular
tracker instance.  Is someone out there who could have a look into this?

Thanks in advance, Peter

If it helps: I was able to edit my details in the "meta" Tracker (
psf.upfronthosting.co.za/roundup/meta ), but not here and not on
bugs.python.org . So it seems to be a more general problem with
permissions and roles.

Does anyone know what version of Roundup is running the tracker 
instance at http://psf.upfronthosting.co.za/roundup/meta ?

I could find out, usually it is a recent version.

Hmm the schema looks right *I am looking in hg:website/issues/schema.py.

Pefu has both User an Developer roles.

# Users should be able to edit their own details -- this permission is
# limited to only the situation where the Viewed or Edited item is their
own.
def own_record(db, userid, itemid):
    '''Determine whether the userid matches the item being accessed.'''
    return userid == itemid
p = db.security.addPermission(name='View', klass='user', check=own_record,
    description="User is allowed to view their own user details")
for r in 'User', 'Developer', 'Coordinator':
    db.security.addPermissionToRole(r, p)
p = db.security.addPermission(name='Edit', klass='user', check=own_record,
    description="User is allowed to edit their own user details",
    properties=('username', 'password',
                'address', 'realname',
                'phone', 'organization',
                'alternate_addresses',
                'queries',
                'timezone')) # Note: 'roles' excluded - users should not
be able to edit their own roles.
for r in 'User', 'Developer':
    db.security.addPermissionToRole(r, p)

Bern, Ralf ideas?

Dear John,

Thanks for spending your time on this.  BTW: is the schema.py of the
Python bug tracker http://bugs.python.org/ available for reference?

I just made a quick test and the behaviour of http://bugs.python.org/
has changed since I wrote msg5487 back in march this year:
I was now able to edit my user record there in 
http://bugs.python.org/user?@startwith=134&@pagesize=1

But still no luck here : "You do not have permission to edit user".

Regards, Peter.

On Tue, Jul 05, 2016 at 08:21:44AM +0000, Peter Funk wrote:
> 
> I just made a quick test and the behaviour of http://bugs.python.org/
> has changed since I wrote msg5487 back in march this year:
> I was now able to edit my user record there in 
> http://bugs.python.org/user?@startwith=134&@pagesize=1
> 
> But still no luck here : "You do not have permission to edit user".

OK: 
- bugs.python.org works
- but http://issues.roundup-tracker.org doesn't

On Mon, Jul 04, 2016 at 08:48:31PM +0000, John Rouillard wrote:
> Hmm the schema looks right *I am looking in hg:website/issues/schema.py.
> 
> Pefu has both User an Developer roles.
> 
> # Users should be able to edit their own details -- this permission is
> # limited to only the situation where the Viewed or Edited item is their
> own.
> def own_record(db, userid, itemid):
>     '''Determine whether the userid matches the item being accessed.'''
>     return userid == itemid
> p = db.security.addPermission(name='View', klass='user', check=own_record,
>     description="User is allowed to view their own user details")
> for r in 'User', 'Developer', 'Coordinator':
>     db.security.addPermissionToRole(r, p)
> p = db.security.addPermission(name='Edit', klass='user', check=own_record,
>     description="User is allowed to edit their own user details",
>     properties=('username', 'password',
>                 'address', 'realname',
>                 'phone', 'organization',
>                 'alternate_addresses',
>                 'queries',
>                 'timezone')) # Note: 'roles' excluded - users should not
> be able to edit their own roles.
> for r in 'User', 'Developer':
>     db.security.addPermissionToRole(r, p)
> 
> Bern, Ralf ideas?

Looks right to me.
Maybe the version running the tracker is not the latest?

Ralf

Hi Peter:

In message
<1467706903.98.0.485533796628.issue2550903@psf.upfronthosting.co.za>,
Peter Funk writes:
>
>Thanks for spending your time on this.  BTW: is the schema.py of the
>Python bug tracker http://bugs.python.org/ available for reference?

>
>I just made a quick test and the behaviour of http://bugs.python.org/
>has changed since I wrote msg5487 back in march this year:

I have been reading though their meta tracker and I think they said it
was available.

I used google to search for "python.org meta tracker" and the first hit was 

  https://wiki.python.org/moin/TrackerDocs

which lead to:

  https://wiki.python.org/moin/TrackerDevelopment

which references:

   http://hg.python.org/tracker/ 

and we have:

  https://hg.python.org/tracker/python-dev/file/tip/schema.py

last updated 

    Thu, 31 Mar 2016 19:53:14 +0300

(so it has changed since you posted) which says:

p = db.security.addPermission(name='Edit', klass='user', check=own_record,
    description="User is allowed to edit their own user details",
    properties=('username', 'password',
                'address', 'realname',
                'phone', 'organisation',
                'alternate_addresses',
                'queries', 'timezone',
                'homepage', 'github'))
                # Note: 'roles' excluded - users should not be able to edit their own roles.
                # Also excluded: contrib_form, contrib_form_date, iscommitter

for r in 'User', 'Developer':
    db.security.addPermissionToRole(r, p)

But the last change had nothing to do with those settings. However a
restart to load the new schema may have changed something.

Ralf, if you have to log in there can you update the style.css from
mercurial. I put in a couple of fixes to close out an issue.

Pefu, has this been fixed or is it still an issue?

-- rouilj

Peter are you still unable to change your user settings?

-- rouilj

John Rouillard wrote two days ago, 29.07.2017 01:13:
> Peter are you still unable to change your user settings?

I was able to change my alternate E-Mail addresses and the timezone.
But I was not allowed to enter my Organisation and Phone number.

And furthermore (but probably unrelated): When trying to access 
https://issues.roundup-tracker.org the certificate belongs to 
bugs.python.org.  So I had to use HTTP to login which means
my password for issues.roundup-tracker.org travels over the
internet unencrypted which is so 90s ☺

Best regards, Peter Funk

Hi Peter:

We have updated the version of roundup and the roundup tracker.
Can you try logging in and see if you can change your organization
and phone.

If so I'll claim this is fixed.


Hopefully we can get somebody to set up up with proper HTTPS access
at some point.

-- rouilj

Hello Tonu,

Tonu Mikk wrote 12.03.2019 11:18 in the roundup-users mailing list
> The password reset page
> <https://issues.roundup-tracker.org/user?@template=forgotten> on the
> Roundup issue tracker states:
> 
> "If your user was automatically created during import from the old
> sourceforge tracker, your e-mail address is <Sourceforge username>@
> users.sourceforge.net. The mail address associated with your account
can be
> changed after login."
> 
> I was able to log in with my @users.sourceforge.net email address, however
> I got a permission error when I tried to change my email and my
password in
> the user details of the tracker.
> 
> Should I open an issue?

Obviously some security considerations are still in place
for the user class of Roundups own tracker :  
see https://issues.roundup-tracker.org/issue2550903

For example I am allowed to change my phone number and my password
(just tested), and my timezone (tested 2017-07-31 12:42:56) but I am
still not allowed to change my Organisation or email addresses.

Best regards, Peter Funk

Anybody who was experiencing these issues please retry. I think I have a 
fix for this in place. Details on issue2551032.

Thank you, John!
Today I tried again and it now worked for me.
Best regards, Peter Funk