Using LDAP auth when anon access is not allowed?
We don't allow anonymous/unauthenticated queries against our LDAP service. Is it possible to set up RB 1.6.3 to use LDAP to authenticate users by having it try to bind with the users credentials? (or some other method I have not thought of?) -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Ordering of repositories?
On 2011-01-29 4:03, Christian Hammond wrote: Hi Scott, The ordering is, I believe, based on the name. Changing the name shouldn't invalidate anything, as we key things based on the repository's numeric ID. I changed the name of my least-used repository, and it did correctly change the ordering without having any obvious ill effects on new or existing issues, so that workaround is apparently viable. There's nothing for changing the default order. There are feature requests filed asking to pre-select a default for a user based on what they used last, which might be nice. I don't know if it'd particularly solve your problem, at least not for the first-time user, but maybe we could flag a default. Would that help, or do you still really want to control a certain order? I think that it would be nice. The workaround of putting a prefix on the name is going to be awkward for post-review users, because the ordering prefix won't be obvious (and might change if the admin decided to reorder). At the moment, post-review isn't very convenient for us to use because its mercurial repository selection is cumbersome. The repo name has to match the full url as configured on the server. Since we have a heavily distributed development methodology, it's not at all uncommon for a changeset to be based on repo B, which is in turn forked from repo A and have it submitted for review against A. This works just fine if you happen to know the full url, and that the copy of the url in the reviewboard configuration insists on having a '/' on the end, but as I said it's cumbersome. What I'd like to do is to add a post-review argument that specifies the repository name as configured in reviewboard, and then have it use the REST API to get the translation of that to url (essentially what happens when you post using the web ui - you never do need to see or use the url). So names should be stable and predictable. I'll have to poll my users to see whether they'd prefer the web ui to have convenient name ordering, or to have less predictable names for post-review... can live with it for now either way, but not having to make the choice would be good. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Using reviewboard post-review with 'hg export' ?
On 2010-12-22 1:07, Christian Hammond wrote: On Tue, Dec 21, 2010 at 6:18 PM, Oz Linden (Scott Lawrence) o...@lindenlab.com wrote: Yes, a direct REST api that returned the url for a name would certainly be helpful. Do you plan to make it possible to require authentication for the REST apis in 1.6? I'm currently running my server with anonymous access disabled because enabling anon access made the REST query apis open. What parts are you wanting to hide? I have not done a comprehensive audit of what I can get ... I just noted that I could do an anonymous query of all the users including addresses and decided this was a bad idea. I can absolutely see hiding user information (definitely the full e-mail address, maybe partly the full name) and maybe the group e-mail address when the user accessing it is anonymous. I don't know that blocking the entire API is useful, though, if you're allowing anonymous access to the site anyway. The general idea is that an anonymous user should not be able to see anything through the REST API that they couldn't see on the HTML UI. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Using reviewboard post-review with 'hg export' ?
On 2010-12-21 18:18, Christian Hammond wrote: There's a --repository-url parameter for post-review that can specify which repository you want to match on the server. It doesn't look like the Mercurial support in post-review handles this parameter, but it wouldn't take much to patch that if you wanted to play around with it and contribute a fix I actually was thinking that I'd try to do a patch that adds a --repository-name parameter to post-review, which could then use the web api to translate the name into the url. This would avoid the problems with trailing slashes and scheme differences, and would match the web UI where the poster selects a repo name not a URL. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Using reviewboard post-review with 'hg export' ?
On 2010-12-21 20:07, Christian Hammond wrote: First, there are two APIs today: the old Review Board 1.0 API, and the new REST one in RB 1.5. Today, post-review uses the RB 1.0 API only. I have a chance pending, which needs some additional work done first, that will update post-review to use either API, depending on what version of the server it's talking to. That explains much of what was confusing me... The old API is going away in 1.6. So if you did have to touch the API for your needs, then what I'd recommend is to wait for my new change to land in post-review (ideally within the week or so -- holidays will undoubtedly get in the way) and then implement the server-side part using the new API. Certainly, having some method to quickly query by name on the server will be more scalable than the get_repositories call, as large servers with many repositories could result in large amounts of data being downloaded/parsed, and in the case of the new API, multiple requests to handle the pagination. Yes, a direct REST api that returned the url for a name would certainly be helpful. Do you plan to make it possible to require authentication for the REST apis in 1.6? I'm currently running my server with anonymous access disabled because enabling anon access made the REST query apis open. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Using reviewboard post-review with 'hg export' ?
Our project uses Mercurial, and so there are a couple of things I'd like to be able to have contributors post patches generated with 'hg export' (either by uploading or even better with post-review) and have rb extract the metadata (description at least) from the export output. Even more important, if they post using export, I'd like to get that meta-data back when I download the patch; at present I seem to only get the actual diff, which means I can't use 'hg import' to pull in the change. I'm also having a bit of trouble figuring out what the smoothest way to use post-review is... the repository configured in the reviewboard server points to our canonical project repo on bitbucket: https://bitbucket.org/lindenlab/viewer-development/ but the way that people work is to clone that to other repos either locally or on bitbucket, so that url is rarely the one in the hgrc 'default' or 'default-push' parameter. Even when it is, post-review fails to match it when the trailing slash is missing locally (common). I think what I'd really like is that post-review take a repository name argument somewhere, and get the url from the web api... -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Permission to create and comment on reviews?
On Fri, Nov 26 I wrote: Is it possible to configure reviewboard so that: Accounts can be created by anyone Those accounts cannot create reviews or post comments until they have been manually added to the appropriate Permission Group? I'm setting up a system to be used by the Second Life Viewer open source project, and would prefer not to have to create accounts for people by hand, but would like to have some control over who can add content. On 2010-11-26 15:06, Christian Hammond wrote: The default registration method is to allow anyone to register a new account. However, it's not moderated, as you know. That's something that could be accomplished by unsetting the 'active' flag on the User entry in the database, which an auth backend could certainly do. So, short term, if you wanted you could probably just create a new Django auth backend and tell Review Board to use it. I'm working on documentation on how to create these and use them, and have some plans for making it easier to work with them in 1.6. What you also probably want is some notification on newly registered users. The auth backend could potentially do this too. So, if you want to get going fast, that's probably what you should do. However, one option we could add is to have a new option in Authentication Settings for Require approval for new accounts or something to that effect. When checked, new accounts would be set inactive by default, and an e-mail would go out to the admins of the site (or some other preconfigured address). The admin would then just need to go into the admin UI and set them active. Does that sound about what you'd want? You mentioned the permission groups, but those aren't really used anywhere but the admin UI (with the exception of a couple special permissions for allowing users to post on behalf of other users, mainly for post-commit hooks). I've since gotten a bit further with this, and have some feedback on authentication/permission issues for future versions... * I had wanted to allow anonymous read-only access to the system, since I'd like to run the project in as open a way as possible, but the fact that the RESTful APIs are all open when anonymous access is allowed made me decide not to do that - try: curl http://reviews.reviewboard.org/api/users/ (it dumps the user database, including email addresses) Which apparently leaves me with allowing anyone to create an account and then shutting them out manually if they post inappropriately (I have not been able to get Christians suggestion to start with the Active flag false to deploy... see earlier mail). I expect this to cause problems... Ideally, I'd like to be able to configure things so that * Anonymous users can browse reviews * Anyone can create an account * I can create permissions groups: o Contributors - can post and comment on reviews (see below) o Committers - can also change status and edit reviews (this one I have now) * Even if I could allow anonymous access, I'd only want it to be allowed for actual people; at a previous project, I ran an open instance of Fisheye/Crucible, and the search engine spiders really ran up our bandwidth and cpu usage by crawling links. In my new reviewboard installation, I've added a robots.txt file to discourage them (worked well last time). I'm not sure why one would need anything more than an all-or-nothing choice here, but it would be good to automate this one way or the other. * Since we're using the Standard Registration system, and I don't want credentials to be visible on the wire, I configured the entire site (except /robots.txt) to require SSL. This was pretty easy to do, including a redirect for any http URL to its https equivalent. It would be nice if rb-site had an option to require this (if there's interest, I may be able to work on this as a contribution at some point). A note on why I need permission control for Contributors... our project, like many others, has a Contribution Agreement that developers must agree to in order for us to accept code. It provides some mutual patent protections, and assigns a shared copyright, which can be very useful if the project ever needs to modify its license terms (we recently switched from GPL to LGPL for most things). The terms of use for our reviewboard site (codereview.secondlife.com) include an agreement that anything posted there counts as a Contribution under that agreement, so I'd like to be able to verify that a given account has an agreement on file before allowing them write access (if someone ignores the terms of use statement and posts something but has not signed the agreement, I am in a grey area I'd rather not be in). -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at
Re: Permission to create and comment on reviews?
On 2010-11-26 21:41, Christian Hammond wrote: It should be, yeah. You can modify RegistrationForm in reviewboard/accounts/forms.py to do it. Off the top of my head, you could probably add a new save method, like: def save(self): user = super(RegistrationForm, self).save() if user: user.active = False user.save() return user Of course, you'll have to patch that for every release. That, or clone our Git repository and do your own builds from that, keeping this change in a branch I wanted to see if it would work to do this, so a added this to /usr/lib/python2.6/site-packages/ReviewBoard-1.5.1-py2.6.egg/reviewboard/accounts/forms.py but even after setting the permissions to allow apache to write the .pyc file it does not get updated. Is there some magic I need to invoke to get the source recompiled? (without that, all users are still starting as active) -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Permission to create and comment on reviews?
On 2010-11-26 21:41, Christian Hammond wrote: I also have a couple of suggestions on how to customize the site. I've done them by hand on mine (which won't be generally visible until I've got SSL installed), but I'm pretty sure I can see how to extend the Settings to support what I've done in a more general way. I'll take a stab at it and post some patches. I'd love to hear about them. Posted untested patches to http://reviews.reviewboard.org/r/1949/ -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en