Re: [Mailman-Developers] [ Query ] Some bugs in postorius that needs to be addressed
The above bugs have been discussed in detail with Bhavesh Goyal with involvement of Terri. I think fixing https://code.launchpad.net/~bhavesh-goyal093/postorius/fixed-nav-role-identification would work ! On Mon, Apr 13, 2015 at 7:05 PM, Ankush Sharma ankush.sharma.ec...@iitbhu.ac.in wrote: Sorry for the typo `good` is not required in the first line. On Mon, Apr 13, 2015 at 7:01 PM, Ankush Sharma ankush.sharma.ec...@iitbhu.ac.in wrote: Hello everyone, I have found a good some bugs in postorius. Needs your review before fixing them. *1.* The *list_moderator* is not able to access the list of held messages as visiting at base-url/postorius/lists/list-id*/held_messages *gives a *403 *i.e *Forbidden* Status code because it is simply not allowed to access it. I have discussed the cause and fix for this issue here https://bugs.launchpad.net/postorius/+bug/1443433 . I am assuming the *list_owner* to be a *list_moderator* in my fix as indicated by http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/auth/decorators.py#L88 *2. *At http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/templates/postorius/menu/list_nav.html#L18 ; why a *list_moderator *is allowed to view the `*Mass Subscribe`* link on the list navigation bar ? Though clicking it will give a *403* again as he has not permission for it. I think it should be *list_owner. * *3. *The *list_navigation menu *containing the links to Info, Settings, Mass Subscribe, Delete etc. options for a list are only visible to the *super_user. *Though, a *list_owner *should be able to see these for his *owned lists *and similarly a *list_moderator *should be able to see the *held messages *option in his navigation menu. This can be fixed by replacing the line: http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/templates/postorius/lists/summary.html#L10 by % if user.is_superuser or user.is_list_owner or user.is_moderator %} As we have a second level permission check before rendering the respective options implemented in the file : http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/templates/postorius/menu/list_nav.html http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/templates/postorius/menu/list_nav.html#L18 . Doing this will cause proper person to see the options that he is allowed to do in his navigation menu. More on this here : https://bugs.launchpad.net/postorius/+bug/1443400 Thanks, Ankush Sharma IIT-BHU,Varanasi India github.com/black-perl ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
Re: [Mailman-Developers] [ Query ] Some bugs in postorius that needs to be addressed
Sorry for the typo `good` is not required in the first line. On Mon, Apr 13, 2015 at 7:01 PM, Ankush Sharma ankush.sharma.ec...@iitbhu.ac.in wrote: Hello everyone, I have found a good some bugs in postorius. Needs your review before fixing them. *1.* The *list_moderator* is not able to access the list of held messages as visiting at base-url/postorius/lists/list-id*/held_messages *gives a *403 *i.e *Forbidden* Status code because it is simply not allowed to access it. I have discussed the cause and fix for this issue here https://bugs.launchpad.net/postorius/+bug/1443433 . I am assuming the *list_owner* to be a *list_moderator* in my fix as indicated by http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/auth/decorators.py#L88 *2. *At http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/templates/postorius/menu/list_nav.html#L18 ; why a *list_moderator *is allowed to view the `*Mass Subscribe`* link on the list navigation bar ? Though clicking it will give a *403* again as he has not permission for it. I think it should be *list_owner. * *3. *The *list_navigation menu *containing the links to Info, Settings, Mass Subscribe, Delete etc. options for a list are only visible to the *super_user. *Though, a *list_owner *should be able to see these for his *owned lists *and similarly a *list_moderator *should be able to see the *held messages *option in his navigation menu. This can be fixed by replacing the line: http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/templates/postorius/lists/summary.html#L10 by % if user.is_superuser or user.is_list_owner or user.is_moderator %} As we have a second level permission check before rendering the respective options implemented in the file : http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/templates/postorius/menu/list_nav.html http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/templates/postorius/menu/list_nav.html#L18 . Doing this will cause proper person to see the options that he is allowed to do in his navigation menu. More on this here : https://bugs.launchpad.net/postorius/+bug/1443400 Thanks, Ankush Sharma IIT-BHU,Varanasi India github.com/black-perl ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
[Mailman-Developers] [ Query ] Some bugs in postorius that needs to be addressed
Hello everyone, I have found a good some bugs in postorius. Needs your review before fixing them. *1.* The *list_moderator* is not able to access the list of held messages as visiting at base-url/postorius/lists/list-id*/held_messages *gives a *403 *i.e *Forbidden* Status code because it is simply not allowed to access it. I have discussed the cause and fix for this issue here https://bugs.launchpad.net/postorius/+bug/1443433 . I am assuming the *list_owner* to be a *list_moderator* in my fix as indicated by http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/auth/decorators.py#L88 *2. *At http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/templates/postorius/menu/list_nav.html#L18 ; why a *list_moderator *is allowed to view the `*Mass Subscribe`* link on the list navigation bar ? Though clicking it will give a *403* again as he has not permission for it. I think it should be *list_owner. * *3. *The *list_navigation menu *containing the links to Info, Settings, Mass Subscribe, Delete etc. options for a list are only visible to the *super_user. *Though, a *list_owner *should be able to see these for his *owned lists *and similarly a *list_moderator *should be able to see the *held messages *option in his navigation menu. This can be fixed by replacing the line: http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/templates/postorius/lists/summary.html#L10 by % if user.is_superuser or user.is_list_owner or user.is_moderator %} As we have a second level permission check before rendering the respective options implemented in the file : http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/templates/postorius/menu/list_nav.html http://bazaar.launchpad.net/~mailman-coders/postorius/trunk/view/head:/src/postorius/templates/postorius/menu/list_nav.html#L18 . Doing this will cause proper person to see the options that he is allowed to do in his navigation menu. More on this here : https://bugs.launchpad.net/postorius/+bug/1443400 Thanks, Ankush Sharma IIT-BHU,Varanasi India github.com/black-perl ___ Mailman-Developers mailing list Mailman-Developers@python.org https://mail.python.org/mailman/listinfo/mailman-developers Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-developers%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-developers/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
