Roundup Tracker - Issues

Issue 2551246

Implement schema permissions for roundup-admin (possibly password too)
Type: behavior Severity: minor
Components: Command-line interface Versions:
Status: new
: : rouilj
Priority: :

Created on 2022-11-30 07:05 by rouilj, last changed 2022-11-30 07:05 by rouilj.

msg7689 Author: [hidden] (rouilj) Date: 2022-11-30 07:05
roundup-admin has a -u option that supposedly sets the user. However it does not
appear to actually apply the permissions schema that is defined.

This isn't a huge problem as it would be for the html interface. In order to use
roundup-admin you have to have access to the home directory at the OS level. If you
have that you have the password to the database in config.ini. So all this bug does
is make using something like:

   sudo -u roundup roundup-admin -u report -i demo

not work as expected. If the report user changes data, the history does log that it
was the report user who did the change.

For example:

  roundup-admin -u anonymous -i demo table user id,username,password

should return the password entry for the anonymous user only.
It returns all passwords.

  roundup-admin -u anonymous display user1

should not display password etc. It returns all the info (password, addresses etc.)

Some commands kind of work. For example:

  roundup_admin -u foo -i demo history user1
  Error: no such class "user"

where the user foo doesn't exist is a bit misleading, but doesn't disclose the
history. Users demo and anonymous display the info (as in the web interface), so
the command is valid.

Also there is no need for a password (username:password) that is compared against
the database. Not sure that a password is of much use since user validation would
be done at the sudo level but there might be a valid use case.

I updated the docs with a warning and added a note to the inline help in
Date User Action Args
2022-11-30 07:05:28rouiljcreate