On Fri, Nov 26 I wrote:
Is it possible to configure reviewboard so that:
Accounts can be created by anyone
Those accounts cannot create reviews or post comments until they have been
manually added to the appropriate Permission Group?
I'm setting up a system to be used by the Second Life Viewer open source
project, and would prefer not to have to create accounts for people by hand,
but would like to have some control over who can add content.
On 2010-11-26 15:06, Christian Hammond wrote:
The default registration method is to allow anyone to register a new
account. However, it's not moderated, as you know. That's something
that could be accomplished by unsetting the 'active' flag on the User
entry in the database, which an auth backend could certainly do. So,
short term, if you wanted you could probably just create a new Django
auth backend and tell Review Board to use it. I'm working on
documentation on how to create these and use them, and have some plans
for making it easier to work with them in 1.6.
What you also probably want is some notification on newly registered
users. The auth backend could potentially do this too.
So, if you want to get going fast, that's probably what you should do.
However, one option we could add is to have a new option in
Authentication Settings for "Require approval for new accounts" or
something to that effect. When checked, new accounts would be set
inactive by default, and an e-mail would go out to the admins of the
site (or some other preconfigured address). The admin would then just
need to go into the admin UI and set them active.
Does that sound about what you'd want? You mentioned the permission
groups, but those aren't really used anywhere but the admin UI (with
the exception of a couple special permissions for allowing users to
post on behalf of other users, mainly for post-commit hooks).
I've since gotten a bit further with this, and have some feedback on
authentication/permission issues for future versions...
* I had wanted to allow anonymous read-only access to the system,
since I'd like to run the project in as open a way as possible,
but the fact that the RESTful APIs are all open when anonymous
access is allowed made me decide not to do that - try:
(it dumps the user database, including email addresses)
Which apparently leaves me with allowing anyone to create an account
and then shutting them out manually if they post inappropriately (I
have not been able to get Christians suggestion to start with the
Active flag false to deploy... see earlier mail). I expect this to
Ideally, I'd like to be able to configure things so that
* Anonymous users can browse reviews
* Anyone can create an account
* I can create permissions groups:
o Contributors - can post and comment on reviews (see below)
o Committers - can also change status and edit reviews
(this one I have now)
* Even if I could allow anonymous access, I'd only want it to be
allowed for actual people; at a previous project, I ran an open
instance of Fisheye/Crucible, and the search engine spiders really
ran up our bandwidth and cpu usage by crawling links. In my new
reviewboard installation, I've added a robots.txt file to
discourage them (worked well last time). I'm not sure why one
would need anything more than an all-or-nothing choice here, but
it would be good to automate this one way or the other.
* Since we're using the Standard Registration system, and I don't
want credentials to be visible on the wire, I configured the
entire site (except /robots.txt) to require SSL. This was pretty
easy to do, including a redirect for any http URL to its https
equivalent. It would be nice if rb-site had an option to require
this (if there's interest, I may be able to work on this as a
contribution at some point).
A note on why I need permission control for Contributors... our project,
like many others, has a Contribution Agreement that developers must
agree to in order for us to accept code. It provides some mutual patent
protections, and assigns a shared copyright, which can be very useful if
the project ever needs to modify its license terms (we recently switched
site (codereview.secondlife.com) include an agreement that anything
posted there counts as a Contribution under that agreement, so I'd like
to be able to verify that a given account has an agreement on file
statement and posts something but has not signed the agreement, I am in
a grey area I'd rather not be in).
Want to help the Review Board project? Donate today at
Happy user? Let us know at http://www.reviewboard.org/users/
To unsubscribe from this group, send email to
For more options, visit this group at