def check_refs(self): """ Check if all class objects are referenced by some other object. """ referenced = {} for clsname, prop in linkclass_iter(self.db, self.classname): cls = db.getclass(clsname) for id in cls.getnodeids(): items = cls.get(id, prop) if isinstance(cls.properties[prop], Multilink): for k in items: referenced[int(k)] = True else: referenced[int(items)] = True destroy_list = [] for id in self.nodeids(): if id not in referenced: if self.opt.no_journalcheck: print >> sys.stderr, "%s%s not referenced" \ % (self.classname, id) else: jresult, jmsg = self.check_journal(id) if not jresult or self.opt.verbose: print >> sys.stderr, "%s%s not referenced: %s" \ % (self.classname, id, jmsg) if self.opt.update and not jresult: destroy_list.append(str(id)) if destroy_list: sql = 'delete from %s__journal where nodeid in (%s)' \ % (self.classname, ','.join (self.db.arg for x in destroy_list)) self.db.sql(sql, destroy_list) for id in destroy_list: print id self.cls.destroy(id)
def init(db): global _ _ = get_translation \ (db.config.TRACKER_LANGUAGE, db.config.TRACKER_HOME).gettext # certain checks of linking/unlinking of files and messages for x in 'msg', 'file': for cl, prop in linkclass_iter(db, x): if cl not in classprops: classprops[cl] = [prop] klass = db.getclass(cl) klass.audit("create", check_linking) klass.audit("create", check_unlinking) klass.audit("set", check_linking) klass.audit("set", check_unlinking) else: classprops[cl].append(prop)
def security(db, **kw): roles = \ [ ("Readonly-User" , "User with less access") ] classes = \ [ ("area", ["Readonly-User"], []) , ("doc_issue_status", ["Readonly-User"], []) , ("keyword", ["Readonly-User"], []) , ("kind", ["Readonly-User"], []) , ("msg_keyword", ["Readonly-User"], []) , ("severity", ["Readonly-User"], []) , ("status", ["Readonly-User"], []) , ("status_transition", ["Readonly-User"], []) , ("ext_tracker_state", ["Readonly-User"], []) , ("safety_level", ["Readonly-User"], []) , ("test_level", ["Readonly-User"], []) ] if 'fault_frequency' in db.classes: classes.append \ (("fault_frequency", ["Readonly-User"], [])) if 'kpm' in db.classes: classes.append \ (("kpm", ["Readonly-User"], [])) if 'kpm_function' in db.classes: classes.append \ (("kpm_function", ["Readonly-User"], [])) if 'kpm_hw_variant' in db.classes: classes.append \ (("kpm_hw_variant", ["Readonly-User"], [])) if 'kpm_occurrence' in db.classes: classes.append \ (("kpm_occurrence", ["Readonly-User"], [])) if 'kpm_release' in db.classes: classes.append \ (("kpm_release", ["Readonly-User"], [])) if 'kpm_tag' in db.classes: classes.append \ (("kpm_tag", ["Readonly-User"], [])) if 'ext_tracker_type' in db.classes: classes.append \ (("ext_tracker_type", ["Readonly-User"], [])) prop_perms = \ [ ( "user", "View", ["Readonly-User"] , ("username", "nickname", "status") ) , ( "category", "View", ["Readonly-User"] , ("name", "id") ) , ( "user_status", "View", ["Readonly-User"] , ("name", ) ) ] linkperms = \ [ ("file", ["Readonly-User"], ['View'], linkclass_iter (db, "file")) , ("msg", ["Readonly-User"], ['View'], linkclass_iter (db, "msg")) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, prop_perms) core.register_linkperms(db, linkperms) # don't allow Readonly-User for some issue attributes exceptions = dict.fromkeys \ (('external_company', 'confidential')) issue_props = [ p for p in db.issue.getprops().iterkeys() if p not in exceptions ] if 'external_users' in db.issue.properties: def ro_user_access(db, userid, itemid): """ Read-only users are allowed to view issue if they are on the list of allowed external users or there is a transitive permission via containers. """ issue = db.issue.getnode(itemid) while True: if issue.external_users and userid in issue.external_users: return True if not issue.part_of: break issue = db.issue.getnode(issue.part_of) return False # end def ext_user_access p = db.security.addPermission \ ( name = 'View' , klass = 'issue' , check = ro_user_access , description = schemadef.security_doc_from_docstring (ro_user_access.__doc__) , properties = issue_props ) db.security.addPermissionToRole('Readonly-User', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'user' , check = schemadef.own_user_record , description = "Users are allowed to edit some of their details" , properties = ("timezone", "csv_delimiter", "hide_message_files") ) db.security.addPermissionToRole('Readonly-User', p) p = db.security.addPermission \ ( name = 'View' , klass = 'user' , check = schemadef.own_user_record , description = "Users are allowed to view some of their details" , properties = ( "username", "realname", "firstname", "lastname" , "creation", "creator", "activity", "actor" ) ) db.security.addPermissionToRole('Readonly-User', p) p = db.security.getPermission('Search', 'file') db.security.addPermissionToRole('Readonly-User', p) p = db.security.getPermission('View', 'file', check=core.view_file) db.security.addPermissionToRole('Readonly-User', p) p = db.security.getPermission('Search', 'issue') db.security.addPermissionToRole('Readonly-User', p) # need search permission on username + id if we want to search for # user Link/Multilink properties on issue (e.g. responsible, nosy, ..) p = db.security.addPermission \ ( name = 'Search' , klass = 'user' , properties = ("username", "nickname", "id") ) db.security.addPermissionToRole('Readonly-User', p) # Need search-permission on ext_tracker_state p = db.security.addPermission \ ( name = 'Search' , klass = 'ext_tracker_state' , properties = ("issue", "id") ) db.security.addPermissionToRole('Readonly-User', p) p = db.security.getPermission('View', 'ext_tracker') db.security.addPermissionToRole('Readonly-User', p) p = db.security.getPermission('Search', 'msg') db.security.addPermissionToRole('Readonly-User', p) db.security.addPermissionToRole('Readonly-User', 'Web Access') db.security.addPermissionToRole('Readonly-User', 'Email Access')
def security(db, **kw): roles = \ [ ("External" , "External user with less access") ] classes = \ [ ("area", ["External"], []) , ("doc_issue_status", ["External"], []) , ("keyword", ["External"], []) , ("kind", ["External"], []) , ("msg_keyword", ["External"], []) , ("severity", ["External"], []) , ("status", ["External"], []) , ("status_transition", ["External"], []) , ("ext_tracker_state", ["External"], []) , ("safety_level", ["External"], []) , ("test_level", ["External"], []) ] if 'fault_frequency' in db.classes: classes.append \ (("fault_frequency", ["External"], [])) if 'kpm' in db.classes: classes.append \ (("kpm", ["External"], ["External"])) if 'kpm_function' in db.classes: classes.append \ (("kpm_function", ["External"], [])) if 'kpm_hw_variant' in db.classes: classes.append \ (("kpm_hw_variant", ["External"], [])) if 'kpm_occurrence' in db.classes: classes.append \ (("kpm_occurrence", ["External"], [])) if 'kpm_release' in db.classes: classes.append \ (("kpm_release", ["External"], [])) if 'kpm_tag' in db.classes: classes.append \ (("kpm_tag", ["External"], [])) if 'ext_tracker_type' in db.classes: classes.append \ (("ext_tracker_type", ["External"], [])) prop_perms = \ [ ( "user", "View", ["External"] , ("username", "nickname", "status") ) , ( "category", "View", ["External"] , ("name", "id") ) , ( "user_status", "View", ["External"] , ("name", ) ) ] linkperms = \ [ ("file", ["External"], ['View'], linkclass_iter (db, "file")) , ("msg", ["External"], ['View'], linkclass_iter (db, "msg")) ] schemadef.register_roles(db, roles) schemadef.register_class_permissions(db, classes, prop_perms) core.register_linkperms(db, linkperms) # don't allow external_company or External for some issue attributes exceptions = dict.fromkeys \ (('external_company', 'confidential', 'external_users', 'inherit_ext')) issue_props = [ p for p in db.issue.getprops().iterkeys() if p not in exceptions ] if 'external_company' in db.issue.properties: def ext_company_access(db, userid, itemid): """ Users are allowed to access issue if their external company has access """ ec = db.user.get(userid, 'external_company') ecs = db.issue.get(itemid, 'external_company') return ecs and ec in ecs # end def ext_company_access for perm in ('View', 'Edit'): p = db.security.addPermission \ ( name = perm , klass = 'issue' , check = ext_company_access , description = schemadef.security_doc_from_docstring (ext_company_access.__doc__) , properties = issue_props ) db.security.addPermissionToRole('External', p) if 'external_users' in db.issue.properties: issue_props.append('external_users') def ext_user_access(db, userid, itemid): """ External users are allowed to access issue if they are on the list of allowed external users or there is a transitive permission via containers. """ issue = db.issue.getnode(itemid) while True: if issue.external_users and userid in issue.external_users: return True if not issue.part_of: break # check parent permissions for non-container or if the # container defines inherit_ext if issue.composed_of and not issue.inherit_ext: break issue = db.issue.getnode(issue.part_of) return False # end def ext_user_access for perm in ('View', 'Edit'): p = db.security.addPermission \ ( name = perm , klass = 'issue' , check = ext_user_access , description = schemadef.security_doc_from_docstring (ext_user_access.__doc__) , properties = issue_props ) db.security.addPermissionToRole('External', p) # Currently *never* allow any rights from being on nosy list if False: def is_on_nosy(db, userid, itemid): "User is allowed to access issue if on nosy list" item = db.issue.getnode(itemid) return userid in item.nosy # end def is_on_nosy for perm in ('View', 'Edit'): p = db.security.addPermission \ ( name = perm , klass = 'issue' , check = is_on_nosy , description = schemadef.security_doc_from_docstring (is_on_nosy.__doc__) , properties = issue_props ) db.security.addPermissionToRole('External', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'user' , check = schemadef.own_user_record , description = "Users are allowed to edit some of their details" , properties = ( "password", "timezone", "csv_delimiter" , "hide_message_files" ) ) db.security.addPermissionToRole('External', p) p = db.security.addPermission \ ( name = 'View' , klass = 'user' , check = schemadef.own_user_record , description = "Users are allowed to view some of their details" , properties = ( "username", "realname", "firstname", "lastname" , "creation", "creator", "activity", "actor" ) ) db.security.addPermissionToRole('External', p) p = db.security.getPermission('Create', 'file') db.security.addPermissionToRole('External', p) p = db.security.getPermission('Search', 'file') db.security.addPermissionToRole('External', p) p = db.security.getPermission('View', 'file', check=core.view_file) db.security.addPermissionToRole('External', p) p = db.security.getPermission('Create', 'issue') db.security.addPermissionToRole('External', p) p = db.security.getPermission('Search', 'issue') db.security.addPermissionToRole('External', p) # need search permission on username + id if we want to search for # user Link/Multilink properties on issue (e.g. responsible, nosy, ..) p = db.security.addPermission \ ( name = 'Search' , klass = 'user' , properties = ("username", "nickname", "id") ) db.security.addPermissionToRole('External', p) # Need search-permission on ext_tracker_state p = db.security.addPermission \ ( name = 'Search' , klass = 'ext_tracker_state' , properties = ("issue", "id") ) db.security.addPermissionToRole('External', p) p = db.security.getPermission('View', 'ext_tracker') db.security.addPermissionToRole('External', p) p = db.security.getPermission('Create', 'msg') db.security.addPermissionToRole('External', p) p = db.security.getPermission('Search', 'msg') db.security.addPermissionToRole('External', p) p = db.security.getPermission('Create', 'query') db.security.addPermissionToRole('External', p) p = db.security.getPermission('Edit', 'query', check=core.edit_query) db.security.addPermissionToRole('External', p) p = db.security.getPermission('Retire', 'query', check=core.edit_query) db.security.addPermissionToRole('External', p) p = db.security.getPermission('Search', 'query') db.security.addPermissionToRole('External', p) p = db.security.getPermission('View', 'query', check=core.view_query) db.security.addPermissionToRole('External', p) db.security.addPermissionToRole('External', 'Web Access') db.security.addPermissionToRole('External', 'Email Access')
def security (db, ** kw) : """ See the configuration and customisation document for information about security setup. Assign the access and edit Permissions for issue, file and message to regular users now """ # Will have special handling for queries, see below # classname allowed to view / edit classes = \ [ ("user_status", ["User"], []) , ("query", [], []) ] linkperms = \ [ ("file", ['User'], ['View', 'Edit'], linkclass_iter (db, "file")) , ("file", ['IT'], ['View', 'Edit'], linkclass_iter (db, "file")) , ("msg", ['User'], ['View'], linkclass_iter (db, "msg")) , ("msg", ['Issue_Admin', 'IT'], ['Edit'], linkclass_iter (db, "msg")) ] schemadef.register_class_permissions (db, classes, []) # Allow creation of file and msg for normal users: db.security.addPermissionToRole ('User', 'Create', 'file') db.security.addPermissionToRole ('User', 'Create', 'msg') def view_msg(db, userid, itemid): return userid == db.msg.get(itemid, 'creator') # end def view_msg p = db.security.addPermission \ ( name = 'View' , klass = 'msg' , check = view_msg , description = "User is allowed to view their own messages" ) db.security.addPermissionToRole('User', p) p = db.security.addPermission \ ( name = 'Search' , klass = 'msg' , description = "User is allowed to search for their own messages" ) db.security.addPermissionToRole('User', p) p = db.security.addPermission \ ( name = 'View' , klass = 'file' , check = view_file , description = "User is allowed to view their own files" ) db.security.addPermissionToRole('User', p) register_linkperms (db, linkperms) p = db.security.addPermission \ ( name = 'Search' , klass = 'file' , description = "User is allowed to search for their own files" ) db.security.addPermissionToRole('User', p) ### Query permissions ### p = db.security.addPermission \ ( name = 'Search' , klass = 'query' , description = "User is allowed to search for their queries" ) db.security.addPermissionToRole('User', p) p = db.security.addPermission \ ( name = 'View' , klass = 'query' , check = view_query , description = schemadef.security_doc_from_docstring (view_query.__doc__) ) db.security.addPermissionToRole('User', p) p = db.security.addPermission \ ( name = 'Edit' , klass = 'query' , check = edit_query , description = "User is allowed to edit their queries" ) db.security.addPermissionToRole('User', p) p = db.security.addPermission \ ( name = 'Retire' , klass = 'query' , check = edit_query , description = "User is allowed to retire their queries" ) db.security.addPermissionToRole('User', p) p = db.security.addPermission \ ( name = 'Create' , klass = 'query' , description = "User is allowed to create queries" ) db.security.addPermissionToRole('User', p) # and give the regular users access to the web and email interface db.security.addPermissionToRole ('User', 'Web Access') db.security.addPermissionToRole ('User', 'Email Access') db.security.addPermissionToRole ('User', 'Rest Access') db.security.addPermissionToRole ('User', 'Xmlrpc Access')