Status: New
Owner: ----
Labels: Type-Defect Priority-Medium

New issue 1913 by Settings information available to staff without siteconfig permission

Based on this email...

... I'm filing a bug.

In the recommended changes from the above email, I changed templates/admin/base_site.html to wrap the settings link with {% if user.is_superuser %}.

Upon exploring the permissions in Django, it looks like it should be possible to use the more surgical, and always correct:

{% if perms.whatever_permission_name %} that corresponds to siteconfig change_siteconfiguration - I couldn't figure out the name of the permission.

Likewise, in, this sort of change:
def site_settings(request, form_class,

    if request.user.is_superuser:
        return djblets_site_settings(request, form_class, template_name, {
            'root_path': settings.SITE_ROOT + "admin/db/"
        err_resp = HttpResponse("Permission denied.", status = 401)
        return err_resp

... but again, specifically checking for the named permission.

That will get me back to using an unpatched version of reviewboard.

You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

Reply via email to