Issue 2550903
Created on 2016-02-25 15:56 by pefu, last changed 2019-10-07 17:54 by rouilj.
Messages | |||
---|---|---|---|
msg5475 | Author: [hidden] (pefu) | Date: 2016-02-25 15:56 | |
This a copy of issue 2550861 because the restricted permissions here might be related to the still unencrypted operation of issues.roundup-tracker.org So what is the problem: I wanted to add my company email account to the list of alternate email addresses of my user account here on this tracker. This was denied when clicking submit changes. Regards, Peter |
|||
msg5483 | Author: [hidden] (pefu) | Date: 2016-03-04 09:18 | |
I still get the message "You have not permission to edit user" if I want the change my Details (Alterate Adresses, Phone, ...) |
|||
msg5485 | Author: [hidden] (ber) | Date: 2016-03-04 14:09 | |
I don't think that the access over http is limiting your ability to change your values. Somebody would need to inquire. (However for the next days, this is unlikely to be me.) |
|||
msg5486 | Author: [hidden] (pefu) | Date: 2016-03-04 14:52 | |
@ber: Thanks nevertheless. It seems to be a problem with the configuration of this particular tracker instance. Is someone out there who could have a look into this? Thanks in advance, Peter |
|||
msg5487 | Author: [hidden] (pefu) | Date: 2016-03-04 15:06 | |
If it helps: I was able to edit my details in the "meta" Tracker ( psf.upfronthosting.co.za/roundup/meta ), but not here and not on bugs.python.org . So it seems to be a more general problem with permissions and roles. |
|||
msg5489 | Author: [hidden] (pefu) | Date: 2016-03-09 14:56 | |
Does anyone know what version of Roundup is running the tracker instance at http://psf.upfronthosting.co.za/roundup/meta ? |
|||
msg5493 | Author: [hidden] (ber) | Date: 2016-03-10 08:49 | |
I could find out, usually it is a recent version. |
|||
msg5749 | Author: [hidden] (rouilj) | Date: 2016-07-04 20:48 | |
Hmm the schema looks right *I am looking in hg:website/issues/schema.py. Pefu has both User an Developer roles. # Users should be able to edit their own details -- this permission is # limited to only the situation where the Viewed or Edited item is their own. def own_record(db, userid, itemid): '''Determine whether the userid matches the item being accessed.''' return userid == itemid p = db.security.addPermission(name='View', klass='user', check=own_record, description="User is allowed to view their own user details") for r in 'User', 'Developer', 'Coordinator': db.security.addPermissionToRole(r, p) p = db.security.addPermission(name='Edit', klass='user', check=own_record, description="User is allowed to edit their own user details", properties=('username', 'password', 'address', 'realname', 'phone', 'organization', 'alternate_addresses', 'queries', 'timezone')) # Note: 'roles' excluded - users should not be able to edit their own roles. for r in 'User', 'Developer': db.security.addPermissionToRole(r, p) Bern, Ralf ideas? |
|||
msg5756 | Author: [hidden] (pefu) | Date: 2016-07-05 08:21 | |
Dear John, Thanks for spending your time on this. BTW: is the schema.py of the Python bug tracker http://bugs.python.org/ available for reference? I just made a quick test and the behaviour of http://bugs.python.org/ has changed since I wrote msg5487 back in march this year: I was now able to edit my user record there in http://bugs.python.org/user?@startwith=134&@pagesize=1 But still no luck here : "You do not have permission to edit user". Regards, Peter. |
|||
msg5758 | Author: [hidden] (schlatterbeck) | Date: 2016-07-05 08:34 | |
On Tue, Jul 05, 2016 at 08:21:44AM +0000, Peter Funk wrote: > > I just made a quick test and the behaviour of http://bugs.python.org/ > has changed since I wrote msg5487 back in march this year: > I was now able to edit my user record there in > http://bugs.python.org/user?@startwith=134&@pagesize=1 > > But still no luck here : "You do not have permission to edit user". OK: - bugs.python.org works - but http://issues.roundup-tracker.org doesn't On Mon, Jul 04, 2016 at 08:48:31PM +0000, John Rouillard wrote: > Hmm the schema looks right *I am looking in hg:website/issues/schema.py. > > Pefu has both User an Developer roles. > > # Users should be able to edit their own details -- this permission is > # limited to only the situation where the Viewed or Edited item is their > own. > def own_record(db, userid, itemid): > '''Determine whether the userid matches the item being accessed.''' > return userid == itemid > p = db.security.addPermission(name='View', klass='user', check=own_record, > description="User is allowed to view their own user details") > for r in 'User', 'Developer', 'Coordinator': > db.security.addPermissionToRole(r, p) > p = db.security.addPermission(name='Edit', klass='user', check=own_record, > description="User is allowed to edit their own user details", > properties=('username', 'password', > 'address', 'realname', > 'phone', 'organization', > 'alternate_addresses', > 'queries', > 'timezone')) # Note: 'roles' excluded - users should not > be able to edit their own roles. > for r in 'User', 'Developer': > db.security.addPermissionToRole(r, p) > > Bern, Ralf ideas? Looks right to me. Maybe the version running the tracker is not the latest? Ralf |
|||
msg5759 | Author: [hidden] (rouilj) | Date: 2016-07-05 12:10 | |
Hi Peter: In message <1467706903.98.0.485533796628.issue2550903@psf.upfronthosting.co.za>, Peter Funk writes: > >Thanks for spending your time on this. BTW: is the schema.py of the >Python bug tracker http://bugs.python.org/ available for reference? > >I just made a quick test and the behaviour of http://bugs.python.org/ >has changed since I wrote msg5487 back in march this year: I have been reading though their meta tracker and I think they said it was available. I used google to search for "python.org meta tracker" and the first hit was https://wiki.python.org/moin/TrackerDocs which lead to: https://wiki.python.org/moin/TrackerDevelopment which references: http://hg.python.org/tracker/ and we have: https://hg.python.org/tracker/python-dev/file/tip/schema.py last updated Thu, 31 Mar 2016 19:53:14 +0300 (so it has changed since you posted) which says: p = db.security.addPermission(name='Edit', klass='user', check=own_record, description="User is allowed to edit their own user details", properties=('username', 'password', 'address', 'realname', 'phone', 'organisation', 'alternate_addresses', 'queries', 'timezone', 'homepage', 'github')) # Note: 'roles' excluded - users should not be able to edit their own roles. # Also excluded: contrib_form, contrib_form_date, iscommitter for r in 'User', 'Developer': db.security.addPermissionToRole(r, p) But the last change had nothing to do with those settings. However a restart to load the new schema may have changed something. Ralf, if you have to log in there can you update the style.css from mercurial. I put in a couple of fixes to close out an issue. |
|||
msg5981 | Author: [hidden] (rouilj) | Date: 2017-05-29 02:11 | |
Pefu, has this been fixed or is it still an issue? -- rouilj |
|||
msg5996 | Author: [hidden] (rouilj) | Date: 2017-07-29 01:13 | |
Peter are you still unable to change your user settings? -- rouilj |
|||
msg5998 | Author: [hidden] (pefu) | Date: 2017-07-31 10:53 | |
John Rouillard wrote two days ago, 29.07.2017 01:13: > Peter are you still unable to change your user settings? I was able to change my alternate E-Mail addresses and the timezone. But I was not allowed to enter my Organisation and Phone number. And furthermore (but probably unrelated): When trying to access https://issues.roundup-tracker.org the certificate belongs to bugs.python.org. So I had to use HTTP to login which means my password for issues.roundup-tracker.org travels over the internet unencrypted which is so 90s ☺ Best regards, Peter Funk |
|||
msg6024 | Author: [hidden] (rouilj) | Date: 2017-09-29 02:32 | |
Hi Peter: We have updated the version of roundup and the roundup tracker. Can you try logging in and see if you can change your organization and phone. If so I'll claim this is fixed. Hopefully we can get somebody to set up up with proper HTTPS access at some point. -- rouilj |
|||
msg6387 | Author: [hidden] (pefu) | Date: 2019-03-13 09:41 | |
Hello Tonu, Tonu Mikk wrote 12.03.2019 11:18 in the roundup-users mailing list > The password reset page > <https://issues.roundup-tracker.org/user?@template=forgotten> on the > Roundup issue tracker states: > > "If your user was automatically created during import from the old > sourceforge tracker, your e-mail address is <Sourceforge username>@ > users.sourceforge.net. The mail address associated with your account can be > changed after login." > > I was able to log in with my @users.sourceforge.net email address, however > I got a permission error when I tried to change my email and my password in > the user details of the tracker. > > Should I open an issue? Obviously some security considerations are still in place for the user class of Roundups own tracker : see https://issues.roundup-tracker.org/issue2550903 For example I am allowed to change my phone number and my password (just tested), and my timezone (tested 2017-07-31 12:42:56) but I am still not allowed to change my Organisation or email addresses. Best regards, Peter Funk |
|||
msg6689 | Author: [hidden] (rouilj) | Date: 2019-10-05 16:55 | |
Anybody who was experiencing these issues please retry. I think I have a fix for this in place. Details on issue2551032. |
|||
msg6710 | Author: [hidden] (pefu) | Date: 2019-10-07 15:04 | |
Thank you, John! Today I tried again and it now worked for me. Best regards, Peter Funk |
History | |||
---|---|---|---|
Date | User | Action | Args |
2019-10-07 17:54:52 | rouilj | set | status: open -> fixed type: behavior resolution: fixed |
2019-10-07 15:04:51 | pefu | set | messages: + msg6710 |
2019-10-05 16:55:51 | rouilj | set | assignee: rouilj messages: + msg6689 |
2019-03-13 09:41:47 | pefu | set | messages: + msg6387 |
2017-09-29 02:32:50 | rouilj | set | messages: + msg6024 |
2017-07-31 10:53:10 | pefu | set | messages: + msg5998 |
2017-07-29 01:13:34 | rouilj | set | messages: + msg5996 |
2017-05-29 02:12:00 | rouilj | set | status: new -> open messages: + msg5981 |
2016-07-05 12:10:57 | rouilj | set | messages: + msg5759 |
2016-07-05 08:34:20 | schlatterbeck | set | messages: + msg5758 |
2016-07-05 08:21:43 | pefu | set | messages: + msg5756 |
2016-07-04 20:48:31 | rouilj | set | nosy:
+ schlatterbeck, rouilj messages: + msg5749 |
2016-03-10 08:49:09 | ber | set | messages: + msg5493 |
2016-03-09 14:56:09 | pefu | set | messages: + msg5489 |
2016-03-04 15:06:38 | pefu | set | messages: + msg5487 |
2016-03-04 14:52:01 | pefu | set | messages: + msg5486 |
2016-03-04 14:09:40 | ber | set | assignee: ber -> (no value) messages: + msg5485 |
2016-03-04 09:18:50 | pefu | set | assignee: ber messages: + msg5483 |
2016-02-25 15:56:41 | pefu | create |