Documenting Tool Permissions

[Tim Van Steenburgh <tv...@gmail.com>]

I'm working on https://sourceforge.net/p/allura/tickets/5517/ . In documenting permissions, I'm finding places where things are not working as probably intended.

Consider the "save_searches", "configure", and "admin" permissions in the Tracker tool:
"save_searches" protects the individual methods on the BinController, but...
...user will not actually see the "Edit Searches" button in the sidebar unless he has the "configure" permission; however...
even with the "configure" permission, user will get a 403 when clicking on the "Edit Searches" button unless he also has the "admin" permission, b/c the BinController is mounted on the TrackerAdminController

I have two proposals:

Remove the "save_searches" permission and include "Edit Searches" in the "configure" permission
Move the BinController off the TrackerAdminController and onto the Tracker RootController

Anyone have thoughts on this, or objections?


-- 
Tim Van Steenburgh

Re: Documenting Tool Permissions

[Chris Tsai <ct...@slashdotmedia.com>]

I actually took a stab at trying to document permissions a while ago, and ran into similar findings. The doc-in-progress I have is here: https://sourceforge.net/p/forge/community-docs/Project%20Permissions/

And here's the ticket I submitted based on the similar inconsistencies I ran into: https://sourceforge.net/p/allura/tickets/6084/ 

-- 
Chris Tsai
SourceForge.net Support


On Wednesday, July 17, 2013 at 2:22 PM, Tim Van Steenburgh wrote:

> 
> 
> On Wednesday, July 17, 2013 at 11:55 AM, Tim Van Steenburgh wrote:
> 
> > I'm working on https://sourceforge.net/p/allura/tickets/5517/ . In documenting permissions, I'm finding places where things are not working as probably intended.
> > 
> > Consider the "save_searches", "configure", and "admin" permissions in the Tracker tool:
> > "save_searches" protects the individual methods on the BinController, but...
> > ...user will not actually see the "Edit Searches" button in the sidebar unless he has the "configure" permission; however...
> > even with the "configure" permission, user will get a 403 when clicking on the "Edit Searches" button unless he also has the "admin" permission, b/c the BinController is mounted on the TrackerAdminController
> > 
> 
> 
> After more digging I've discovered that this particular problem is system-wide. There are many controller methods on Application admin controllers that purport to be protected by the "configure" permission, yet are unreachable by a user with the bare "configure" permission, because the ProjectAdminController through which the request is dispatched requires a blanket "admin" permission.
> 
> I don't have a solution to propose for this yet, but will report back when I do. Would be glad hear ideas from others in the meantime.
> > I have two proposals:
> > 
> > Remove the "save_searches" permission and include "Edit Searches" in the "configure" permission
> > Move the BinController off the TrackerAdminController and onto the Tracker RootController
> > 
> > Anyone have thoughts on this, or objections?
> > 
> > 
> > -- 
> > Tim Van Steenburgh
> > 
> 
> 
> 

Re: Documenting Tool Permissions

[Tim Van Steenburgh <tv...@gmail.com>]

On Wednesday, July 17, 2013 at 11:55 AM, Tim Van Steenburgh wrote:

> I'm working on https://sourceforge.net/p/allura/tickets/5517/ . In documenting permissions, I'm finding places where things are not working as probably intended.
> 
> Consider the "save_searches", "configure", and "admin" permissions in the Tracker tool:
> "save_searches" protects the individual methods on the BinController, but...
> ...user will not actually see the "Edit Searches" button in the sidebar unless he has the "configure" permission; however...
> even with the "configure" permission, user will get a 403 when clicking on the "Edit Searches" button unless he also has the "admin" permission, b/c the BinController is mounted on the TrackerAdminController
> 
> 
> 
> 

After more digging I've discovered that this particular problem is system-wide. There are many controller methods on Application admin controllers that purport to be protected by the "configure" permission, yet are unreachable by a user with the bare "configure" permission, because the ProjectAdminController through which the request is dispatched requires a blanket "admin" permission.

I don't have a solution to propose for this yet, but will report back when I do. Would be glad hear ideas from others in the meantime.
> I have two proposals:
> 
> Remove the "save_searches" permission and include "Edit Searches" in the "configure" permission
> Move the BinController off the TrackerAdminController and onto the Tracker RootController
> 
> Anyone have thoughts on this, or objections?
> 
> 
> -- 
> Tim Van Steenburgh
> 

Re: Documenting Tool Permissions

[Dave Brondsema <db...@slashdotmedia.com>]

Sounds reasonable.  I don't remember exactly what "configure" gives access
for across all tools.  If it's fairly standard (e.g. accessing the admin
options for tools) then perhaps we'd want to keep it as that (although I
don't know what the difference between admin & configure would be then),
and keep save_searches as a separate perm since it's not an admin option
page.


On Wed, Jul 17, 2013 at 11:55 AM, Tim Van Steenburgh <
tvansteenburgh@gmail.com> wrote:

> I'm working on https://sourceforge.net/p/allura/tickets/5517/ . In
> documenting permissions, I'm finding places where things are not working as
> probably intended.
>
> Consider the "save_searches", "configure", and "admin" permissions in the
> Tracker tool:
> "save_searches" protects the individual methods on the BinController,
> but...
> ...user will not actually see the "Edit Searches" button in the sidebar
> unless he has the "configure" permission; however...
> even with the "configure" permission, user will get a 403 when clicking on
> the "Edit Searches" button unless he also has the "admin" permission, b/c
> the BinController is mounted on the TrackerAdminController
>
> I have two proposals:
>
> Remove the "save_searches" permission and include "Edit Searches" in the
> "configure" permission
> Move the BinController off the TrackerAdminController and onto the Tracker
> RootController
>
> Anyone have thoughts on this, or objections?
>
>
> --
> Tim Van Steenburgh
>
>


-- 
Dave Brondsema
Principal Software Engineer - sourceforge.net
Dice Holdings, Inc.