Issue 2551246
Created on 2022-11-30 07:05 by rouilj, last changed 2022-11-30 07:05 by rouilj.
msg7689 |
Author: [hidden] (rouilj) |
Date: 2022-11-30 07:05 |
|
roundup-admin has a -u option that supposedly sets the user. However it does not
appear to actually apply the permissions schema that is defined.
This isn't a huge problem as it would be for the html interface. In order to use
roundup-admin you have to have access to the home directory at the OS level. If you
have that you have the password to the database in config.ini. So all this bug does
is make using something like:
sudo -u roundup roundup-admin -u report -i demo
not work as expected. If the report user changes data, the history does log that it
was the report user who did the change.
For example:
roundup-admin -u anonymous -i demo table user id,username,password
should return the password entry for the anonymous user only.
It returns all passwords.
roundup-admin -u anonymous display user1
should not display password etc. It returns all the info (password, addresses etc.)
Some commands kind of work. For example:
roundup_admin -u foo -i demo history user1
Error: no such class "user"
where the user foo doesn't exist is a bit misleading, but doesn't disclose the
history. Users demo and anonymous display the info (as in the web interface), so
the command is valid.
Also there is no need for a password (username:password) that is compared against
the database. Not sure that a password is of much use since user validation would
be done at the sudo level but there might be a valid use case.
I updated the docs with a warning and added a note to the inline help in admin.py.
|
|
Date |
User |
Action |
Args |
2022-11-30 07:05:28 | rouilj | create | |
|