Roundup Tracker - Issues

Issue 2551111

classification
Title: unable to list users using xml-rpc with mod_python handler
Type: security Severity: normal
Components: API Versions: 1.5
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: rouilj, schlatterbeck, zafati
Priority: Keywords:

Created on 2021-02-02 09:37 by zafati, last changed 2021-02-11 23:01 by rouilj.

Messages
msg7056 Author: [hidden] (zafati) Date: 2021-02-02 09:37
I am unable to  list users and display their properties through xmlrpc remote access. I am getting the following error using admin user (even when i use a default tracker):

xmlrpclib.Fault: <Fault 1: "<class 'roundup.exceptions.Unauthorised'>:Permission to view username of user1 denied">

My current roundup is configured with mod_python handler. The security permissions in schema.py looks like:


db.security.addPermissionToRole('User', 'View', 'user')

# Users should be able to edit their own details -- this permission is
# limited to only the situation where the Viewed or Edited item is their own.
def own_record(db, userid, itemid):
    '''Determine whether the userid matches the item being accessed.'''
    return userid == itemid
p = db.security.addPermission(name='View', klass='user', check=own_record,
    description="User is allowed to view their own user details")
db.security.addPermissionToRole('User', p)
p = db.security.addPermission(name='Edit', klass='user', check=own_record,
    properties=('username', 'password', 'address', 'realname', 'phone',
        'organisation', 'alternate_addresses', 'queries', 'timezone'),
    description="User is allowed to edit their own user details")
db.security.addPermissionToRole('User', p)

# Users should be able to edit and view their own queries. They should also
# be able to view any marked as not private. They should not be able to
# edit others' queries, even if they're not private
def view_query(db, userid, itemid):
    private_for = db.query.get(itemid, 'private_for')
    if not private_for: return True
    return userid == private_for
def edit_query(db, userid, itemid):
    return userid == db.query.get(itemid, 'creator')
p = db.security.addPermission(name='View', klass='query', check=view_query,
    description="User is allowed to view their own and public queries")
db.security.addPermissionToRole('User', p)
p = db.security.addPermission(name='Search', klass='query')
db.security.addPermissionToRole('User', p)
p = db.security.addPermission(name='Edit', klass='query', check=edit_query,
    description="User is allowed to edit their queries")
db.security.addPermissionToRole('User', p)
p = db.security.addPermission(name='Retire', klass='query', check=edit_query,
    description="User is allowed to retire their queries")
db.security.addPermissionToRole('User', p)
p = db.security.addPermission(name='Create', klass='query',
    description="User is allowed to create queries")
db.security.addPermissionToRole('User', p)
msg7057 Author: [hidden] (schlatterbeck) Date: 2021-02-02 10:05
On Tue, Feb 02, 2021 at 09:37:59AM +0000, zafati wrote:
> 
> I am unable to  list users and display their properties through xmlrpc
> remote access. I am getting the following error using admin user (even
> when i use a default tracker):

There is a new XMLRPC permission in the tracker, you'll have to give
this to all roles that should have XMLRPC access.

e.g.

db.security.addPermissionToRole ('User', 'Xmlrpc Access')
db.security.addPermissionToRole ('Admin', 'Xmlrpc Access')

Let us know if you have those.

Ralf
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office@runtux.com
msg7058 Author: [hidden] (zafati) Date: 2021-02-02 10:19
We are still using roundup 1.5 and this option is not defined in this version.
msg7066 Author: [hidden] (rouilj) Date: 2021-02-05 16:45
How are you accessing the xmlrpc endpoint? Are you using the /xmlrpc 
endpoint with the normal roundup tracker url, or are you using the 
separate xmlrpc server?

Ralf any idea here? I don't remember any fixes to the xmlrpc stuff
post 1.5.0. Only feature additions. It looks like the xmlrpc module
does include logging. How do we enable it? Would changing config.ini's
[logging] variable 'level' to DEBUG enable the xmlrpc logging to the 
file listed by the 'filename' variable?

-- rouilj
msg7067 Author: [hidden] (schlatterbeck) Date: 2021-02-05 18:03
On Fri, Feb 05, 2021 at 04:45:07PM +0000, John Rouillard wrote:
> 
> John Rouillard added the comment:
> 
> How are you accessing the xmlrpc endpoint? Are you using the /xmlrpc 
> endpoint with the normal roundup tracker url, or are you using the 
> separate xmlrpc server?
> 
> Ralf any idea here? I don't remember any fixes to the xmlrpc stuff
> post 1.5.0. Only feature additions. It looks like the xmlrpc module
> does include logging. How do we enable it? Would changing config.ini's
> [logging] variable 'level' to DEBUG enable the xmlrpc logging to the 
> file listed by the 'filename' variable?

No I'm currently out of ideas. On first glance it looks like the user
accessing the tracker via xmlrpc is not authorized so that the request
is performed as anonymous. But this is just a hunch.

Ralf
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office@runtux.com
msg7068 Author: [hidden] (rouilj) Date: 2021-02-06 22:57
Zafati, can you try adding the User role to the admin user and see if that 
works?

I assume if you log into the web interface as the admin user, you can see 
the usernames?
msg7075 Author: [hidden] (rouilj) Date: 2021-02-11 23:01
Zafati any update on this?
History
Date User Action Args
2021-02-11 23:01:23rouiljsetmessages: + msg7075
2021-02-06 22:57:19rouiljsetmessages: + msg7068
2021-02-05 18:03:34schlatterbecksetmessages: + msg7067
2021-02-05 16:45:07rouiljsetstatus: new -> open
messages: + msg7066
2021-02-03 03:51:24rouiljsetnosy: + rouilj
2021-02-02 10:19:40zafatisetmessages: + msg7058
2021-02-02 10:05:31schlatterbecksetnosy: + schlatterbeck
messages: + msg7057
2021-02-02 09:37:59zafaticreate