Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 1913 by ericjohn...@alumni.brown.edu: Settings information available to staff without siteconfig permission
http://code.google.com/p/reviewboard/issues/detail?id=1913

Based on this email...

http://groups.google.com/group/reviewboard/msg/dd80c6cb3b4c7ccc

... I'm filing a bug.

In the recommended changes from the above email, I changed templates/admin/base_site.html to wrap the settings link with {% if user.is_superuser %}.

Upon exploring the permissions in Django, it looks like it should be possible to use the more surgical, and always correct:

{% if perms.whatever_permission_name %} that corresponds to siteconfig change_siteconfiguration - I couldn't figure out the name of the permission.

Likewise, in views.py, this sort of change:
def site_settings(request, form_class,
                  template_name="siteconfig/settings.html"):

    if request.user.is_superuser:
        return djblets_site_settings(request, form_class, template_name, {
            'root_path': settings.SITE_ROOT + "admin/db/"
        })
    else:
        err_resp = HttpResponse("Permission denied.", status = 401)
        return err_resp

... but again, specifically checking for the named permission.

That will get me back to using an unpatched version of reviewboard.


--
You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To post to this group, send email to reviewboard-iss...@googlegroups.com.
To unsubscribe from this group, send email to 
reviewboard-issues+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/reviewboard-issues?hl=en.

Reply via email to