1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61
|
Description: Disclosure of user hashed passwords (CVE-2014-6276)
Security fix default user permissions
.
Default user permissions should not include all user attributes. We now
limit this to the username, realname and some further attributes
depending on the schema. Note that we no longer include the email
addresses, depending on your installation you may want to further
restrict this or add some attributes like ``address`` and
``alternate_addresses``.
Origin: backport, http://hg.code.sf.net/p/roundup/code/rev/a403c29ffaf9
Forwarded: not-needed
Author: Ralf Schlatterbeck <rsc@runtux.com>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-02-06
Applied-Upstream: 1.5.1
--- a/share/roundup/templates/classic/schema.py
+++ b/share/roundup/templates/classic/schema.py
@@ -101,7 +101,10 @@ for cl in 'priority', 'status':
# May users view other user information? Comment these lines out
# if you don't want them to
-db.security.addPermissionToRole('User', 'View', 'user')
+p = db.security.addPermission(name='View', klass='user',
+ properties=('id', 'organisation', 'phone', 'realname', 'timezone',
+ 'username'))
+db.security.addPermissionToRole('User', p)
# Users should be able to edit their own details -- this permission is
# limited to only the situation where the Viewed or Edited item is their own.
--- a/share/roundup/templates/devel/schema.py
+++ b/share/roundup/templates/devel/schema.py
@@ -292,8 +292,13 @@ for cl in ('bug_type', 'task_type', 'sev
# May users view other user information? Comment these lines out
# if you don't want them to
-db.security.addPermissionToRole('User', 'View', 'user')
-db.security.addPermissionToRole('Developer', 'View', 'user')
+p = db.security.addPermission(name='View', klass='user',
+ properties=('id', 'organisation', 'phone', 'realname', 'timezone',
+ 'vcs_name', 'username'))
+db.security.addPermissionToRole('User', p)
+db.security.addPermissionToRole('Developer', p)
+
+# Coordinator may also edit users, so they may see everything:
db.security.addPermissionToRole('Coordinator', 'View', 'user')
# Allow Coordinator to edit any user, including their roles.
--- a/share/roundup/templates/minimal/schema.py
+++ b/share/roundup/templates/minimal/schema.py
@@ -30,7 +30,9 @@ db.security.addPermissionToRole('User',
# May users view other user information?
# Comment these lines out if you don't want them to
-db.security.addPermissionToRole('User', 'View', 'user')
+p = db.security.addPermission(name='View', klass='user',
+ properties=('id', 'username'))
+db.security.addPermissionToRole('User', p)
# Users should be able to edit their own details -- this permission is
# limited to only the situation where the Viewed or Edited item is their own.
|