Issue 2551111
Created on 2021-02-02 09:37 by zafati, last changed 2021-03-18 01:16 by rouilj.
Messages | |||
---|---|---|---|
msg7056 | Author: [hidden] (zafati) | Date: 2021-02-02 09:37 | |
I am unable to list users and display their properties through xmlrpc remote access. I am getting the following error using admin user (even when i use a default tracker): xmlrpclib.Fault: <Fault 1: "<class 'roundup.exceptions.Unauthorised'>:Permission to view username of user1 denied"> My current roundup is configured with mod_python handler. The security permissions in schema.py looks like: db.security.addPermissionToRole('User', 'View', 'user') # Users should be able to edit their own details -- this permission is # limited to only the situation where the Viewed or Edited item is their own. def own_record(db, userid, itemid): '''Determine whether the userid matches the item being accessed.''' return userid == itemid p = db.security.addPermission(name='View', klass='user', check=own_record, description="User is allowed to view their own user details") db.security.addPermissionToRole('User', p) p = db.security.addPermission(name='Edit', klass='user', check=own_record, properties=('username', 'password', 'address', 'realname', 'phone', 'organisation', 'alternate_addresses', 'queries', 'timezone'), description="User is allowed to edit their own user details") db.security.addPermissionToRole('User', p) # Users should be able to edit and view their own queries. They should also # be able to view any marked as not private. They should not be able to # edit others' queries, even if they're not private def view_query(db, userid, itemid): private_for = db.query.get(itemid, 'private_for') if not private_for: return True return userid == private_for def edit_query(db, userid, itemid): return userid == db.query.get(itemid, 'creator') p = db.security.addPermission(name='View', klass='query', check=view_query, description="User is allowed to view their own and public queries") db.security.addPermissionToRole('User', p) p = db.security.addPermission(name='Search', klass='query') db.security.addPermissionToRole('User', p) p = db.security.addPermission(name='Edit', klass='query', check=edit_query, description="User is allowed to edit their queries") db.security.addPermissionToRole('User', p) p = db.security.addPermission(name='Retire', klass='query', check=edit_query, description="User is allowed to retire their queries") db.security.addPermissionToRole('User', p) p = db.security.addPermission(name='Create', klass='query', description="User is allowed to create queries") db.security.addPermissionToRole('User', p) |
|||
msg7057 | Author: [hidden] (schlatterbeck) | Date: 2021-02-02 10:05 | |
On Tue, Feb 02, 2021 at 09:37:59AM +0000, zafati wrote: > > I am unable to list users and display their properties through xmlrpc > remote access. I am getting the following error using admin user (even > when i use a default tracker): There is a new XMLRPC permission in the tracker, you'll have to give this to all roles that should have XMLRPC access. e.g. db.security.addPermissionToRole ('User', 'Xmlrpc Access') db.security.addPermissionToRole ('Admin', 'Xmlrpc Access') Let us know if you have those. Ralf -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting www: www.runtux.com Reichergasse 131, A-3411 Weidling email: office@runtux.com |
|||
msg7058 | Author: [hidden] (zafati) | Date: 2021-02-02 10:19 | |
We are still using roundup 1.5 and this option is not defined in this version. |
|||
msg7066 | Author: [hidden] (rouilj) | Date: 2021-02-05 16:45 | |
How are you accessing the xmlrpc endpoint? Are you using the /xmlrpc endpoint with the normal roundup tracker url, or are you using the separate xmlrpc server? Ralf any idea here? I don't remember any fixes to the xmlrpc stuff post 1.5.0. Only feature additions. It looks like the xmlrpc module does include logging. How do we enable it? Would changing config.ini's [logging] variable 'level' to DEBUG enable the xmlrpc logging to the file listed by the 'filename' variable? -- rouilj |
|||
msg7067 | Author: [hidden] (schlatterbeck) | Date: 2021-02-05 18:03 | |
On Fri, Feb 05, 2021 at 04:45:07PM +0000, John Rouillard wrote: > > John Rouillard added the comment: > > How are you accessing the xmlrpc endpoint? Are you using the /xmlrpc > endpoint with the normal roundup tracker url, or are you using the > separate xmlrpc server? > > Ralf any idea here? I don't remember any fixes to the xmlrpc stuff > post 1.5.0. Only feature additions. It looks like the xmlrpc module > does include logging. How do we enable it? Would changing config.ini's > [logging] variable 'level' to DEBUG enable the xmlrpc logging to the > file listed by the 'filename' variable? No I'm currently out of ideas. On first glance it looks like the user accessing the tracker via xmlrpc is not authorized so that the request is performed as anonymous. But this is just a hunch. Ralf -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting www: www.runtux.com Reichergasse 131, A-3411 Weidling email: office@runtux.com |
|||
msg7068 | Author: [hidden] (rouilj) | Date: 2021-02-06 22:57 | |
Zafati, can you try adding the User role to the admin user and see if that works? I assume if you log into the web interface as the admin user, you can see the usernames? |
|||
msg7075 | Author: [hidden] (rouilj) | Date: 2021-02-11 23:01 | |
Zafati any update on this? |
|||
msg7096 | Author: [hidden] (rouilj) | Date: 2021-03-12 04:46 | |
Zafati is this still a problem? I'll close it in a week assuming it's solved if we don't hear from you. |
|||
msg7122 | Author: [hidden] (rouilj) | Date: 2021-03-18 01:16 | |
Closing as abandoned. No feedback from user for over a month. |
History | |||
---|---|---|---|
Date | User | Action | Args |
2021-03-18 01:16:32 | rouilj | set | status: open -> closed resolution: abandoned messages: + msg7122 |
2021-03-12 04:46:47 | rouilj | set | messages: + msg7096 |
2021-02-11 23:01:23 | rouilj | set | messages: + msg7075 |
2021-02-06 22:57:19 | rouilj | set | messages: + msg7068 |
2021-02-05 18:03:34 | schlatterbeck | set | messages: + msg7067 |
2021-02-05 16:45:07 | rouilj | set | status: new -> open messages: + msg7066 |
2021-02-03 03:51:24 | rouilj | set | nosy: + rouilj |
2021-02-02 10:19:40 | zafati | set | messages: + msg7058 |
2021-02-02 10:05:31 | schlatterbeck | set | nosy:
+ schlatterbeck messages: + msg7057 |
2021-02-02 09:37:59 | zafati | create |