On Fri, Nov 26 I wrote:

Is it possible to configure reviewboard so that:

Accounts can be created by anyone
Those accounts cannot create reviews or post comments until they have been
manually added to the appropriate Permission Group?

I'm setting up a system to be used by the Second Life Viewer open source
project, and would prefer not to have to create accounts for people by hand,
but would like to have some control over who can add content.
On 2010-11-26 15:06, Christian Hammond wrote:
The default registration method is to allow anyone to register a new
account. However, it's not moderated, as you know. That's something
that could be accomplished by unsetting the 'active' flag on the User
entry in the database, which an auth backend could certainly do. So,
short term, if you wanted you could probably just create a new Django
auth backend and tell Review Board to use it. I'm working on
documentation on how to create these and use them, and have some plans
for making it easier to work with them in 1.6.

What you also probably want is some notification on newly registered
users. The auth backend could potentially do this too.

So, if you want to get going fast, that's probably what you should do.
However, one option we could add is to have a new option in
Authentication Settings for "Require approval for new accounts" or
something to that effect. When checked, new accounts would be set
inactive by default, and an e-mail would go out to the admins of the
site (or some other preconfigured address). The admin would then just
need to go into the admin UI and set them active.

Does that sound about what you'd want? You mentioned the permission
groups, but those aren't really used anywhere but the admin UI (with
the exception of a couple special permissions for allowing users to
post on behalf of other users, mainly for post-commit hooks).

I've since gotten a bit further with this, and have some feedback on authentication/permission issues for future versions...

   * I had wanted to allow anonymous read-only access to the system,
     since I'd like to run the project in as open a way as possible,
     but the fact that the RESTful APIs are all open when anonymous
     access is allowed made me decide not to do that - try:

       curl  http://reviews.reviewboard.org/api/users/

   (it dumps the user database, including email addresses)

   Which apparently leaves me with allowing anyone to create an account
   and then shutting them out manually if they post inappropriately (I
   have not been able to get Christians suggestion to start with the
   Active flag false to deploy... see earlier mail).  I expect this to
   cause problems...

   Ideally, I'd like to be able to configure things so that

       * Anonymous users can browse reviews
       * Anyone can create an account
       * I can create permissions groups:
             o Contributors - can post and comment on reviews (see below)
             o Committers - can also change status and edit reviews
               (this one I have now)

   * Even if I could allow anonymous access, I'd only want it to be
     allowed for actual people; at a previous project, I ran an open
     instance of Fisheye/Crucible, and the search engine spiders really
     ran up our bandwidth and cpu usage by crawling links.   In my new
     reviewboard installation, I've added a robots.txt file to
     discourage them (worked well last time).  I'm not sure why one
     would need anything more than an all-or-nothing choice here, but
     it would be good to automate this one way or the other.

   * Since we're using the Standard Registration system, and I don't
     want credentials to be visible on the wire, I configured the
     entire site (except /robots.txt) to require SSL.  This was pretty
     easy to do, including a redirect for any http URL to its https
     equivalent.  It would be nice if rb-site had an option to require
     this (if there's interest, I may be able to work on this as a
     contribution at some point).

A note on why I need permission control for Contributors... our project, like many others, has a Contribution Agreement that developers must agree to in order for us to accept code. It provides some mutual patent protections, and assigns a shared copyright, which can be very useful if the project ever needs to modify its license terms (we recently switched from GPL to LGPL for most things). The terms of use for our reviewboard site (codereview.secondlife.com) include an agreement that anything posted there counts as a Contribution under that agreement, so I'd like to be able to verify that a given account has an agreement on file before allowing them write access (if someone ignores the terms of use statement and posts something but has not signed the agreement, I am in a grey area I'd rather not be in).

Want to help the Review Board project? Donate today at 
Happy user? Let us know at http://www.reviewboard.org/users/
To unsubscribe from this group, send email to 
For more options, visit this group at 

Reply via email to