This is not a question - I'm just adding information to this thread as I 
continue to work on this in case it's useful down the road.

Quick summary - 

*  All of my 1.7.6 production servers using MySQL databases dragged along 
from the 1.1 days are exhibiting the problem where a user can close other 
user's reviews.

* My 1.6 sandbox / dev server using a sqlite DB was not showing that 
behavior.

* Today I upgraded the 1.6 sandbox server to 1.7.6 and it is NOT exhibiting 
the broken behavior.

Since all of my 1.7 production servers were installed from scratch on clean 
CentOS boxes, I have to work from here under the assumption that there's 
something either in my databases or in my custom authentication module 
that's causing this.  The custom auth module seems unlikely as it just 
checks the user name against our ldap server and also checks for certain 
group memberships, so I'm going to experiment with a clean database to see 
if I can reproduce the problem.

If I learn anything new, I'll post it.

--Steve



On Saturday, June 15, 2013 4:00:54 PM UTC-7, Christian Hammond wrote:
>
> Hi Steve, 
>
> I really don't know then. It must either be some weird bug in that 
> install, or something funky and custom going on. Certainly, the behavior of 
> not showing Close/Update is correct. 
>
> I'm curious if Close/Update even works on the old install. 
>
> Christian 
>
> --  
> Christian Hammond - chi...@chipx86.com <javascript:> 
> Review Board - http://www.reviewboard.org 
> Beanbag, Inc. - http://www.beanbaginc.com 
>
> On June 14, 2013 at 3:19:29 PM, Steve (seide...@gmail.com <javascript:>) 
> wrote: 
>
> Thanks for the example - I keep forgetting about rb-site shell.  It's 
> nifty.  Here's what I get: 
>
> # rb-site manage /var/www/reviewboard shell 
> Python 2.6.6 (r266:84292, Sep 11 2012, 08:34:23)  
> [GCC 4.4.6 20120305 (Red Hat 4.4.6-4)] on linux2 
> Type "help", "copyright", "credits" or "license" for more information. 
> (InteractiveConsole) 
> >>> from django.contrib.auth.models import User 
> >>> u = User.objects.get(username="xxxx") 
> >>> u.is_superuser 
> False 
> >>> u.is_staff 
> False 
> >>> u.has_perm('reviewrequest.can_change_status') 
> False 
> >>> u.has_perm('reviewrequest.can_edit_reviewrequest') 
> False 
> >>>  
>
>
> On Friday, June 14, 2013 2:56:26 PM UTC-7, Christian Hammond wrote: 
> It's auth_user_user_permissions, which will map user IDs to IDs in 
> auth_permissions. 
>
> Alternatively, you can do: 
>
>     $ rb-site manage /path/to/site shell 
>     >>> from django.contrib.auth.models import User 
>     >>> u = User.objects.get(username='youruser') 
>     >>> u.is_superuser 
>     >>> u.is_staff 
>     >>> u.has_perm('reviewrequest.can_change_status') 
>     >>> u.has_perm('reviewrequest.can_edit_reviewrequest') 
>
> (I believe those are the permission names.) 
>
> Christian 
>
> --  
> Christian Hammond - chi...@chipx86.com 
> Review Board - http://www.reviewboard.org 
> Beanbag, Inc. - http://www.beanbaginc.com 
>
> On Jun 14, 2013, at 2:36 PM, Steve <seide...@gmail.com> wrote: 
>
> I just went to a friend's desk and verified he sees the 'Close' button on 
> other people's reviews.  Here are his user settings in the DB: 
>
>           id: 7 
>     username: xxxxxx 
>   first_name: xxxxxx 
>    last_name: xxxxxx 
>        email: xxxxx 
>     password: xxxxx 
>     is_staff: 0 
>    is_active: 1 
> is_superuser: 0 
>   last_login: 2013-05-15 06:59:15 
>  date_joined: 2008-07-25 09:25:54 
>
>
> What table would I look in to see if he has specific "Can Edit/Can Close 
> privileges"? 
>
> The only custom code we have on our servers is a customized ldap 
> authenticator. 
>
> Thanks! 
>
> --Steve 
>
>
> On Friday, June 14, 2013 2:25:37 PM UTC-7, Christian Hammond wrote: 
> Hi Steve, 
>
> There's no special flag for this. We implemented this functionality 
> pre-1.0 and it has never changed. The only way you ever see Close or Update 
> is when you have superuser privileges or the Can Edit/Can Close privileges. 
> I'm not aware of this ever regressing or changing throughout the history of 
> Review Board. 
>
> Both the UI and the API for handling those commands check these privileges 
> in order to show/allow the operations. There isn't a single point of 
> failure here. 
>
> The only other way that this could be set is if somebody modified the code 
> you're running at some point to hard-code these privileges. 
>
> Christian 
>
> --  
> Christian Hammond - chi...@chipx86.com 
> Review Board - http://www.reviewboard.org 
> Beanbag, Inc. - http://www.beanbaginc.com 
>
> On Jun 14, 2013, at 2:18 PM, Steve <seide...@gmail.com> wrote: 
>
> I do not have staff or superuser set for this account, nor any special mod 
> permissions.  And everyone here also sees the same 'Close' button on other 
> people's reviews.  So, something is configured.  I wonder if there's an old 
> database setting that we've been pulling along since the 1.0.x, 1.5 days 
> that's causing this.  Do you have some ideas on what db tables I can look 
> in for clues? 
>
> --Steve 
>
>
> On Friday, June 14, 2013 2:09:49 PM UTC-7, Christian Hammond wrote: 
> Hi Steve, 
>
> Are you set up as an admin on both servers? Or do you have the Can Close 
> privilege set? 
>
> If so, 1.7.x should behave the same as it did in 1.6.x (and certainly does 
> in our installs). 
>
> Christian 
>
>
> On Jun 14, 2013, at 14:04, Steve <seide...@gmail.com> wrote: 
>
> I'd like to back up and break this down into smaller, simpler questions. 
>
> When I go to my 1.6.9 RB server and browse to another user's review, I see 
> these buttons along the top, right portion of the page: 
>
>         Download Diff    Review    Ship It!    View Diff 
>
> When I go to  both of my 1.7.6 servers and browse to another user's 
> review, I see these buttons along the top, right portion of the page: 
>
>         Close    Update    Download Diff    Review    Ship It!    View 
> Diff 
>
> I only see the 'Close' button in 1.6.9 when I'm viewing my own requests.  
>
> So, is that an intentional change in RB 1.7, or is my site somehow 
> misconfigured? 
>
> Thanks! 
>
> --Steve 
>
>
> --   
> Want to help the Review Board project? Donate today at 
> http://www.reviewboard.org/donate/ 
> Happy user? Let us know at http://www.reviewboard.org/users/ 
> -~----------~----~----~----~------~----~------~--~--- 
> To unsubscribe from this group, send email to 
> reviewboard...@googlegroups.com 
> For more options, visit this group at 
> http://groups.google.com/group/reviewboard?hl=en 
> ---   
> You received this message because you are subscribed to the Google Groups 
> "reviewboard" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to reviewboard...@googlegroups.com. 
> For more options, visit https://groups.google.com/groups/opt_out. 
>   
>   
>
> --   
> Want to help the Review Board project? Donate today at 
> http://www.reviewboard.org/donate/ 
> Happy user? Let us know at http://www.reviewboard.org/users/ 
> -~----------~----~----~----~------~----~------~--~--- 
> To unsubscribe from this group, send email to 
> reviewboard...@googlegroups.com 
> For more options, visit this group at 
> http://groups.google.com/group/reviewboard?hl=en 
> ---   
> You received this message because you are subscribed to the Google Groups 
> "reviewboard" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to reviewboard...@googlegroups.com. 
> For more options, visit https://groups.google.com/groups/opt_out. 
>   
>   
>
>
> --   
> Want to help the Review Board project? Donate today at 
> http://www.reviewboard.org/donate/ 
> Happy user? Let us know at http://www.reviewboard.org/users/ 
> -~----------~----~----~----~------~----~------~--~--- 
> To unsubscribe from this group, send email to 
> reviewboard...@googlegroups.com <javascript:> 
> For more options, visit this group at 
> http://groups.google.com/group/reviewboard?hl=en 
> ---   
> You received this message because you are subscribed to the Google Groups 
> "reviewboard" group. 
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to reviewboard...@googlegroups.com <javascript:>. 
> For more options, visit https://groups.google.com/groups/opt_out. 
>

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~----------~----~----~----~------~----~------~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.


Reply via email to