Roundup Tracker - Issues

Issue 2551032

classification
Title: Roundup issue tracker does not permit a user to change their email address
Type: security Severity: normal
Components: Database, Web interface, Infrastructure Versions: 1.6
process
Status: fixed Resolution: fixed
Dependencies: Superseder:
Assigned To: rouilj Nosy List: LorenzoAncora, ber, pefu, rouilj, tmikk
Priority: Keywords:

Created on 2019-03-15 21:10 by tmikk, last changed 2019-10-07 17:54 by rouilj.

Files
File name Uploaded Description Edit Remove
unnamed tmikk, 2019-10-05 15:15
Messages
msg6401 Author: [hidden] (tmikk) Date: 2019-03-15 21:10
This Roundup issue tracker (https://issues.roundup-tracker.org) does 
not allow a user to change their email address.  I attempted to change 
my email on the "Your Details" page from tmikk@users.sourceforge.net to 
tmikk@umn.edu and received a permission error.
msg6407 Author: [hidden] (ber) Date: 2019-03-20 07:18
Hi Tonu,
thanks for reporting!

The problem you see is a side effect of #2551027 (wiki outgoing email
does not work on sourceforge when running own wiki). And handled there.
Therefore I am closing here.

Regards,
Bernhard
msg6444 Author: [hidden] (rouilj) Date: 2019-03-27 00:49
Hi Bern:

I am confused. How does lack of email on the wiki translate into
this problem.

This issue is failing to be able to change the email entry in the user object of the tracker. The tracker is running on psf/digital ocean gear and can obviously send email (since we get the update notifications).
msg6445 Author: [hidden] (ber) Date: 2019-03-27 09:14
Hi John, Hi Tonu,

sorry about this, I was thinking wiki.
(A mistake I've made because I have a number of settings where we use
the roundup account for the wiki.)
msg6446 Author: [hidden] (pefu) Date: 2019-03-28 16:14
This issue seems to be duplicate of issue2550903

Users who are members of the "user" and the
"developer" class are still not permitted to change
some of their attributes: email, alternate email addresses
and organisation. However editing the timezone seems to work.

Best regards, 
Peter Funk
msg6447 Author: [hidden] (pefu) Date: 2019-03-28 16:20
What I wrote in my last email was not completely correct:
I just tested: I was able to edit the alternate email addresses
field.  What I was unable to do was swap the main email address
with one of the alternate email addresses in my user record of
this tracker here.

Best regards,
Peter Funk
msg6657 Author: [hidden] (rouilj) Date: 2019-09-26 11:50
Peter, is this the workflow that you used?

  1) remove the email address that you want to use as your
     primary address from alternate addresses. Commit the change
  2) change the primary email address to the one you removed in 1
     and commit the change.

Bascially create two separate transactions rather than trying to do it
a single transaction.

Do you get a failure at 1, or 2 or does it work?

-- rouilj
msg6660 Author: [hidden] (pefu) Date: 2019-09-26 13:09
Hello John,

John Rouillard added the comment:
> Peter, is this the workflow that you used?
> 
>   1) remove the email address that you want to use as your
>      primary address from alternate addresses. Commit the change
>   2) change the primary email address to the one you removed in 1
>      and commit the change.
> 
> Bascially create two separate transactions rather than trying to do it
> a single transaction.
> 
> Do you get a failure at 1, or 2 or does it work?

Just tried again.

step 1 worked fine.

The "permission denied" exception (you are not allowed to edit entries
of class "user" or as I see it in German:
Sie sind nicht berechtigt, Einträge der Klasse "user" zu bearbeiten )
happens in step 2.

The same exception happens if I try to enter the name of my company
into the field labeled "Organisation".

I see that you changed the sequence of my roles on March 15th from
User,Developer to Developer,User.  I don't believe that the sequence 
of roles matters.

I believe that neither the members of the roles "Developer" or "User"
are allowed to change/edit the attributes primary address and organisation
of their own record in this tracker instance data base.

Many thanks that you spend your time to have a look into this issue.

Best regards, Peter Funk
-- 
Peter Funk ✉home:Oldenburger Str.86, D-27777 Ganderkesee; 📱:+49-179-640-8878 
✉office: ArtCom GmbH, Haferwende 2, D-28357 Bremen, Germany
☎office:+49-421-20419-0 <http://www.artcom-gmbh.de/>
msg6669 Author: [hidden] (rouilj) Date: 2019-10-02 00:14
Peter, I just changed your roles from Developer,User to User,Developer. 
Can you try changing your address again and see if it works?

Thanks.

-- rouilj
msg6671 Author: [hidden] (pefu) Date: 2019-10-02 05:15
Good mornung John,

You wrote:
> Can you try changing your address again and see if it works?

No. It didn't.  
As I mentioned in msg6660 the order of roles does not matter.
I believe the problem is/was located in website/issues/schema.py
but I'm unable to figure it out.  May be a fresh cup of tea might help?
I dunno.
msg6683 Author: [hidden] (rouilj) Date: 2019-10-05 04:49
I think this is fixed. Tonu and Peter can you try changing your 
settings again.

Here is the joke:

--- schema.py   2019-10-05 03:07:07.940446690 +0000
+++ /srv/roundup/trackers/roundup/schema.py     2019-10-05 
04:21:51.896409025 +0000
@@ -289,7 +289,7 @@
     description="User is allowed to edit their own user details",
     properties=('username', 'password',
                 'address', 'realname',
-                'phone', 'organization',
+                'phone', 'organisation',
                 'alternate_addresses',
                 'queries',
                 'timezone')) # Note: 'roles' excluded - users should 
not be able to edit their own roles.
msg6684 Author: [hidden] (tmikk) Date: 2019-10-05 15:15
It worked for me! I was able to change my email address!  Thank you!

On Fri, Oct 4, 2019 at 11:49 PM John Rouillard <issues@roundup-tracker.org>
wrote:

>
> John Rouillard added the comment:
>
> I think this is fixed. Tonu and Peter can you try changing your
> settings again.
>
> Here is the joke:
>
> --- schema.py   2019-10-05 03:07:07.940446690 +0000
> +++ /srv/roundup/trackers/roundup/schema.py     2019-10-05
> 04:21:51.896409025 +0000
> @@ -289,7 +289,7 @@
>      description="User is allowed to edit their own user details",
>      properties=('username', 'password',
>                  'address', 'realname',
> -                'phone', 'organization',
> +                'phone', 'organisation',
>                  'alternate_addresses',
>                  'queries',
>                  'timezone')) # Note: 'roles' excluded - users should
> not be able to edit their own roles.
>
> ----------
> assignee:  -> rouilj
>
> _________________________________________________
> Roundup tracker <issues@roundup-tracker.org>
> <https://issues.roundup-tracker.org/issue2551032>
> _________________________________________________
>
msg6691 Author: [hidden] (rouilj) Date: 2019-10-05 18:28
Tonu, glad that fixed it for you. If Peter agrees, I'll close these 
tickets.

I have already checked the change into the source so it won't get lost.

-- rouilj
msg6711 Author: [hidden] (pefu) Date: 2019-10-07 15:07
Thank you, John.
Yes, I agree: I fine with cloing this issue now.
Best regards, Peter.
History
Date User Action Args
2019-10-07 17:54:21rouiljsetstatus: open -> fixed
resolution: fixed
2019-10-07 15:07:52pefusetmessages: + msg6711
2019-10-05 18:28:45rouiljsetmessages: + msg6691
components: + Database, Infrastructure
2019-10-05 15:15:09tmikksetfiles: + unnamed
messages: + msg6684
2019-10-05 04:49:04rouiljsetassignee: rouilj
messages: + msg6683
2019-10-02 05:15:37pefusetmessages: + msg6671
2019-10-02 00:14:22rouiljsetmessages: + msg6669
2019-09-26 13:09:31pefusetmessages: + msg6660
2019-09-26 11:50:38rouiljsetmessages: + msg6657
2019-07-25 20:57:05LorenzoAncorasetnosy: + LorenzoAncora
2019-03-28 16:20:26pefusetmessages: + msg6447
2019-03-28 16:14:13pefusetnosy: + pefu
messages: + msg6446
2019-03-27 09:14:23bersetsuperseder: wiki outgoing email does not work on sourceforge when running own wiki (decision) ->
messages: + msg6445
2019-03-27 00:49:02rouiljsetstatus: closed -> open
nosy: + rouilj
messages: + msg6444
2019-03-20 07:18:46bersetsuperseder: wiki outgoing email does not work on sourceforge when running own wiki (decision)
2019-03-20 07:18:30bersetstatus: new -> closed
nosy: + ber
messages: + msg6407
2019-03-15 21:10:50tmikkcreate