Roundup Tracker - Issues

Message7056

Author zafati
Recipients zafati
Date 2021-02-02.09:37:58
Message-id <1612258679.96.0.0753593509866.issue2551111@roundup.psfhosted.org>
In-reply-to 
I am unable to  list users and display their properties through xmlrpc remote access. I am getting the following error using admin user (even when i use a default tracker):

xmlrpclib.Fault: <Fault 1: "<class 'roundup.exceptions.Unauthorised'>:Permission to view username of user1 denied">

My current roundup is configured with mod_python handler. The security permissions in schema.py looks like:


db.security.addPermissionToRole('User', 'View', 'user')

# Users should be able to edit their own details -- this permission is
# limited to only the situation where the Viewed or Edited item is their own.
def own_record(db, userid, itemid):
    '''Determine whether the userid matches the item being accessed.'''
    return userid == itemid
p = db.security.addPermission(name='View', klass='user', check=own_record,
    description="User is allowed to view their own user details")
db.security.addPermissionToRole('User', p)
p = db.security.addPermission(name='Edit', klass='user', check=own_record,
    properties=('username', 'password', 'address', 'realname', 'phone',
        'organisation', 'alternate_addresses', 'queries', 'timezone'),
    description="User is allowed to edit their own user details")
db.security.addPermissionToRole('User', p)

# Users should be able to edit and view their own queries. They should also
# be able to view any marked as not private. They should not be able to
# edit others' queries, even if they're not private
def view_query(db, userid, itemid):
    private_for = db.query.get(itemid, 'private_for')
    if not private_for: return True
    return userid == private_for
def edit_query(db, userid, itemid):
    return userid == db.query.get(itemid, 'creator')
p = db.security.addPermission(name='View', klass='query', check=view_query,
    description="User is allowed to view their own and public queries")
db.security.addPermissionToRole('User', p)
p = db.security.addPermission(name='Search', klass='query')
db.security.addPermissionToRole('User', p)
p = db.security.addPermission(name='Edit', klass='query', check=edit_query,
    description="User is allowed to edit their queries")
db.security.addPermissionToRole('User', p)
p = db.security.addPermission(name='Retire', klass='query', check=edit_query,
    description="User is allowed to retire their queries")
db.security.addPermissionToRole('User', p)
p = db.security.addPermission(name='Create', klass='query',
    description="User is allowed to create queries")
db.security.addPermissionToRole('User', p)
History
Date User Action Args
2021-02-02 09:38:00zafatisetrecipients: + zafati
2021-02-02 09:37:59zafatisetmessageid: <1612258679.96.0.0753593509866.issue2551111@roundup.psfhosted.org>
2021-02-02 09:37:59zafatilinkissue2551111 messages
2021-02-02 09:37:58zafaticreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020