Quantcast

Restrict access of users to active issues

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Restrict access of users to active issues

Christian Wolf
Hello,

I have a roundup running and I would like to achieve some special
security settings:
- There are two main groups of users: User and SuperUser.
- Each user can only see/edit/append issues/files/messages for whom he
is on the nosy list
- The users in SuperUser group can access all issues
- Any user in the SuperUser group can raise other users to be SuperUser
and lower them to be normal User

The last wish is optional, here the admin could also work manually. This
will not happen too often.

I think this should be possible but I do not see the necessary
information. for example in
http://roundup.sourceforge.net/docs/customizing.html#users-may-only-edit-their-issues
there is a similar setup discussed but this does not involve nosy lists.
I did not succeed in finding the correct python code to check if a
useris was on a given nosy list.

Unfortunately the docs are not too detailed and mention some information
only without explaining. I do not want to work my way though the code as
I am no native python developer and this would take quite much time.

Can you give me a hint?

Thanks a lot
Christian

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Restrict access of users to active issues

Christian Wolf
Hello,

OK, unfortunately I did not get any answers, so I went through the code
a bit and found at least a way to lock me out (as a test case).

What I added to schema.py:


db.security.addRole(name='Vorstand',description='Vorstandsmitglied, kann
alle Issues sehen')

db.security.addPermissionToRole('Vorstand', 'Web Access')
db.security.addPermissionToRole('Vorstand', 'Email Access')

for cl in 'issue', 'file', 'msg', 'keyword':
    db.security.addPermissionToRole('Vorstand', 'View', cl)
    db.security.addPermissionToRole('Vorstand', 'Edit', cl)
    db.security.addPermissionToRole('Vorstand', 'Create', cl)

def on_nosy_list(db,userid,itemid):
    ''' Checks if the user is on the nosy list of an issue '''
    return userid in db.issue.get(itemid, 'nosy')

p = db.security.addPermission(name='View', klass='issue',
check=on_nosy_list, description='Can only view issues with nosy attribute')
db.security.addPermissionToRole('User',p)
p = db.security.addPermission(name='Edit', klass='issue',
check=on_nosy_list, description='Can only edit issues with nosy attribute')
db.security.addPermissionToRole('User',p)
db.security.addPermissionToRole('User', 'Create', 'issue')


Further I altered the following and removed the issue from the for list:


for cl in 'file', 'msg', 'keyword':
    db.security.addPermissionToRole('User', 'View', cl)
    db.security.addPermissionToRole('User', 'Edit', cl)
    db.security.addPermissionToRole('User', 'Create', cl)


This leads to the desired effect, that a normal User does no more have
access to issues where he is not on the nosy list. Nevertheless there is
a side effect: When looking at the list of open issues, the grouping and
sorting does not work. I cannot set any grouping neither using the
selection boxes below the search result nor with the detailed search web
interface.

Maybe someone might know if this has with my altered issues to do.

Thanks a lot
Christian

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Restrict access of users to active issues

John P. Rouillard
Hello:

In message <[hidden email]>,
Christian Wolf writes:

> [...]
>What I added to schema.py:
>
>
>db.security.addRole(name='Vorstand',description='Vorstandsmitglied, kann
>alle Issues sehen')
>
>db.security.addPermissionToRole('Vorstand', 'Web Access')
>db.security.addPermissionToRole('Vorstand', 'Email Access')
>
>for cl in 'issue', 'file', 'msg', 'keyword':
>    db.security.addPermissionToRole('Vorstand', 'View', cl)
>    db.security.addPermissionToRole('Vorstand', 'Edit', cl)
>    db.security.addPermissionToRole('Vorstand', 'Create', cl)
>
>def on_nosy_list(db,userid,itemid):
>    ''' Checks if the user is on the nosy list of an issue '''
>    return userid in db.issue.get(itemid, 'nosy')
>
>p = db.security.addPermission(name='View', klass='issue',
>check=on_nosy_list, description='Can only view issues with nosy attribute')
>db.security.addPermissionToRole('User',p)
>p = db.security.addPermission(name='Edit', klass='issue',
>check=on_nosy_list, description='Can only edit issues with nosy attribute')
>db.security.addPermissionToRole('User',p)
>db.security.addPermissionToRole('User', 'Create', 'issue')
>
>
>Further I altered the following and removed the issue from the for list:
>
>
>for cl in 'file', 'msg', 'keyword':
>    db.security.addPermissionToRole('User', 'View', cl)
>    db.security.addPermissionToRole('User', 'Edit', cl)
>    db.security.addPermissionToRole('User', 'Create', cl)
>
>
>This leads to the desired effect, that a normal User does no more have
>access to issues where he is not on the nosy list. Nevertheless there is
>a side effect: When looking at the list of open issues, the grouping and
>sorting does not work. I cannot set any grouping neither using the
>selection boxes below the search result nor with the detailed search web
>interface.


This is a shot in the dark, but

   http://roundup.sourceforge.net/docs/upgrading.html#migrating-from-1-4-x-to-1-4-17

Since you have read permission with a check method, I think you
need to add search permission.

Maybe you need:

  db.security.addPermissionToRole('User', 'Search', cl)

Good luck.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Restrict access of users to active issues

Christian Wolf
Hello,

Am 25.01.2016 um 17:19 schrieb John P. Rouillard:

> This is a shot in the dark, but
>
>    http://roundup.sourceforge.net/docs/upgrading.html#migrating-from-1-4-x-to-1-4-17
>
> Since you have read permission with a check method, I think you
> need to add search permission.
>
> Maybe you need:
>
>   db.security.addPermissionToRole('User', 'Search', cl)
>
> Good luck.

That might have helped. I am unsure if everything works as expected. We
will see, for now it looks good. Maybe there will be another situation
that will have to be handled but for now I will let it simply run.

Thanks a lot
Christian

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Restrict access of users to active issues

Ralf Schlatterbeck-3
In reply to this post by Christian Wolf
On Mon, Jan 25, 2016 at 04:20:51PM +0100, Christian Wolf wrote:

>
> Further I altered the following and removed the issue from the for list:
>
>
> for cl in 'file', 'msg', 'keyword':
>     db.security.addPermissionToRole('User', 'View', cl)
>     db.security.addPermissionToRole('User', 'Edit', cl)
>     db.security.addPermissionToRole('User', 'Create', cl)
>
>
> This leads to the desired effect, that a normal User does no more have
> access to issues where he is not on the nosy list. Nevertheless there is
> a side effect: When looking at the list of open issues, the grouping and
> sorting does not work. I cannot set any grouping neither using the
> selection boxes below the search result nor with the detailed search web
> interface.
>
> Maybe someone might know if this has with my altered issues to do.

Two things here:
- Johns "shot in the dark" is ok, you need to add search permissions in
  this case
- you don't restrict access to messages. Since most of the confidential
  info is probably in the messages not in the other info in the issue, a
  user could display

  http://.../msg23

  to see the contents of this message even if (s)he is not on the nosy
  list for the issue.

  You can restrict message (and file) view also with a check method,
  by checking that a user has access to something that links to the
  message. *And* you should restrict linking/unlinking of messages to
  the *creator* of a message to prevent that someone links a message to
  an issue they have access to to see the message.


Code (please forgive the peculiar formatting which is not python pep
conforming, the project I'm copying from uses different coding
guidelines) -- for more of the code see
 http://sourceforge.net/projects/timetracktool/

Note that the following code is very generic -- in the tracker I'm
copying it from we have many classes with messages. So you will probably
have to remove some code and some special cases. We also use more roles
than the standard tracker.


Library, put this in the 'lib' directory in your tracker:

from roundup.hyperdb import Link, Multilink

def linkclass_iter (db, classname) :
    """ For the given classname find all properties in other classes
        that link to that class.
    """
    for clname in sorted (db.getclasses ()) :
        for p, v in sorted (db.getclass (clname).properties.iteritems ()) :
            if  (    (isinstance (v, Multilink) or isinstance (v, Link))
                and v.classname == classname
                ) :
                yield (clname, p)
# end def linkclass_iter


Detectors:

classprops = {}

def check_linking (db, cl, nodeid, new_values) :
    """ Allow linking to properties only if we created them """
    if db.getuid () == '1' :
        return
    for prop in classprops [cl.classname] :
        if prop not in new_values :
            continue
        old   = dict.fromkeys (old_props (cl, prop, nodeid))
        klass = db.getclass (cl.properties [prop].classname)
        for id in new_props (cl, prop, new_values) :
            if id not in old and klass.get (id, 'creator') != db.getuid () :
                cls  = _ (klass.classname)
                raise Reject, \
                    _ ("You may link only to your own %(cls)s") % locals ()
# end def check_linking

def check_unlinking (db, cl, nodeid, new_values) :
    """ Don't allow unlinking of properties """
    for prop in classprops [cl.classname] :
        if prop not in new_values :
            continue
        # allow admin
        if db.getuid () == '1' :
            continue
        ids = dict.fromkeys (new_props (cl, prop, new_values))
        for id in old_props (cl, prop, nodeid) :
            if id not in ids :
                name  = _ (cl.classname)
                kls   = cl.properties [prop]
                klass = db.getclass (kls.classname)
                cls   = _ (kls.classname)
                # Allow updating user pictures
                if cls == 'File' and name == 'User' :
                    continue
                # Allow Link properties if old linked prop is owned by user
                if  (   isinstance (kls, Link)
                    and klass.get (id, 'creator') == db.getuid ()
                    ) :
                    continue
                # Allow Multilink properties in exceptions if linked
                # prop is owned by user
                if  (   prop in exceptions.get (cl.classname, [])
                    and klass.get (id, 'creator') == db.getuid ()
                    ) :
                    continue
                # Allow IT and admin roles
                if common.user_has_role (db, db.getuid (), 'it', 'admin') :
                    continue
                raise Reject, \
                    _ ("You may not unlink %(cls)s from %(name)s") % locals ()
# end def check_unlinking



def init (db) :
    # certain checks of linking/unlinking of files and messages
    for x in 'msg', 'file' :
        for cl, prop in linkclass_iter (db, x) :
            if cl not in classprops :
                classprops [cl] = [prop]
                klass = db.getclass (cl)
                klass.audit ("create", check_linking)
                klass.audit ("create", check_unlinking)
                klass.audit ("set",    check_linking)
                klass.audit ("set",    check_unlinking)
            else :
                classprops [cl].append (prop)
# end def init


Access methods:

def register_permission_by_link (db, role, perm, linkclass, * classprops) :
    """ Install permission check methods for a given linkclass (e.g.
        msg, file) linked by other classes (e.g. issue) from a
        Multilink. The parameter classprops is a list of 2-tuple of
        classname and property name.
    """
    if linkclass not in db.classes :
        return
    classprops = [(c, p) for c, p in classprops
                  if c in db.classes and p in db.classes [c].getprops ()
                 ]
    def is_linked (db, uid, itemid) :
        if not itemid :
            return False
        for cls, prop in classprops :
            if cls not in db.classes :
                continue
            ids = db.getclass (cls).filter (None, {prop : itemid})
            for id in ids :
                if db.security.hasPermission \
                    (perm, uid, cls, itemid = id, property = prop) :
                    return True
        return False
    # end def is_linked
    p = db.security.addPermission \
        ( name        = perm
        , klass       = linkclass
        , check       = is_linked
        , description = \
            ''"User is allowed %(perm)s on %(linkclass)s"
            " if %(linkclass)s is linked from an item with %(perm)s"
            " permission" % locals ()
        )
    db.security.addPermissionToRole (role, p)
# end def register_permission_by_link

def register_linkperms (db, linkperms) :
    for cls, roles, perms, classprops in linkperms :
        for role in roles :
            if role.lower () not in db.security.role :
                continue
            for perm in perms :
                schemadef.register_permission_by_link \
                    (db, role, perm, cls, * classprops)
# end def register_linkperms

    linkperms = \
        [ ("file", ['User'],      ['View', 'Edit'], linkclass_iter (db, "file"))
        , ("msg",  ['User'],              ['View'], linkclass_iter (db, "msg"))
        , ("msg",  ['Issue_Admin', 'IT'], ['Edit'], linkclass_iter (db, "msg"))
        ]

    register_linkperms (db, linkperms)


Ralf
--
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: [hidden email]

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Loading...