[Tracker-discuss] [issue393] Security policy should be visible on top page of tracker, maybe every page

Stephen Turnbull metatracker at psf.upfronthosting.co.za
Sun Aug 21 09:56:50 CEST 2011

Stephen Turnbull <stephen at xemacs.org> added the comment:

It's possible to do this, although I don't have a patch offhand.  The basic idea is that given in the attached patch, which uses the existing concepts of "assigned to" and "admin role" rather than a separate configurable group.  Probably you can just create a security role and substitute that check for "assigned to".

I don't know if deleting "admin" makes sense or not.  Of course admins can add the security role to themselves anyway, so convenience in dealing with security issues that need to be deleted because they're spam etc is one consideration.  OTOH, "if I don't need to know I don't wanna see it" is another factor.

Note that the patch defaults to privacy (which is appropriate in my situation).  Probably for Python you would want this dependent on the issue type or priority of "security".

I also don't know how secure this really is.  I know it's more secure than the people who are using it, which is good enough for me.<wink/>

PSF Meta Tracker <metatracker at psf.upfronthosting.co.za>
-------------- next part --------------
diff --git a/html/issue.item.html b/html/issue.item.html
index 3a397c2..6e84f26 100644
--- a/html/issue.item.html
+++ b/html/issue.item.html
@@ -81,6 +81,10 @@ python:db.user.classhelp('username,realname,address', property='nosy', width='60
   <span tal:condition="context/is_edit_ok" tal:replace="structure python:db.keyword.classhelp(property='keyword')" />
+ <th i18n:translate="">Public</th>
+ <td tal:content="structure context/ispublic/field">is issue public?</td>
 <tr tal:condition="context/is_edit_ok">
  <th i18n:translate="">Change Note</th>
diff --git a/schema.py b/schema.py
index 9c13df9..4db8c7f 100644
--- a/schema.py
+++ b/schema.py
@@ -75,7 +75,8 @@ issue = IssueClass(db, "issue",
-                status=Link("status"))
+                status=Link("status")
+                ispublic=Boolean())
@@ -90,9 +91,32 @@ issue = IssueClass(db, "issue",
 db.security.addPermissionToRole('User', 'Web Access')
 db.security.addPermissionToRole('User', 'Email Access')
+# Users should be able to edit and view their assigned issues. They
+# should also be able to view any marked as public. They should not
+# be able to edit others' issues, even if they're public.
+def view_issue(db, userid, itemid):
+    # ispublic checking not implemented yet
+    # if not db.issue.get(itemid, 'ispublic'): return True
+    return userid == db.issue.get(itemid, 'assignedto')
+def edit_issue(db, userid, itemid):
+    return userid == db.issue.get(itemid, 'assignedto')
+p = db.security.addPermission(name='View', klass='issue', check=view_issue,
+    description="User is allowed to view their own and public issues")
+db.security.addPermissionToRole('User', p)
+p = db.security.addPermission(name='Edit', klass='issue', check=edit_issue,
+    description="User is allowed to edit their issues")
+db.security.addPermissionToRole('User', p)
+p = db.security.addPermission(name='Retire', klass='issue', check=edit_issue,
+    description="User is allowed to retire their issues")
+db.security.addPermissionToRole('User', p)
+p = db.security.addPermission(name='Create', klass='issue',
+    description="User is allowed to create issues")
+db.security.addPermissionToRole('User', p)
 # Assign the access and edit Permissions for issue, file and message
-# to regular users now
-for cl in 'issue', 'file', 'msg', 'keyword':
+# to regular users now.  These are way too lenient for files and
+# messages, but it's unlikely that students will figure that out.
+for cl in 'file', 'msg', 'keyword':
     db.security.addPermissionToRole('User', 'View', cl)
     db.security.addPermissionToRole('User', 'Edit', cl)
     db.security.addPermissionToRole('User', 'Create', cl)

More information about the Tracker-discuss mailing list