Status: New
Owner:
Labels: Type-Defect Priority-Medium
New issue 1913 by ericjohn...@alumni.brown.edu: Settings information
available to staff without siteconfig permission
http://code.google.com/p/reviewboard/issues/detail?id=1913
Based on this email...
http://groups.google.com/group/reviewboard/msg/dd80c6cb3b4c7ccc
... I'm filing a bug.
In the recommended changes from the above email, I changed
templates/admin/base_site.html to wrap the settings link with {% if
user.is_superuser %}.
Upon exploring the permissions in Django, it looks like it should be
possible to use the more surgical, and always correct:
{% if perms.whatever_permission_name %} that corresponds to siteconfig
change_siteconfiguration - I couldn't figure out the name of the permission.
Likewise, in views.py, this sort of change:
def site_settings(request, form_class,
template_name="siteconfig/settings.html"):
if request.user.is_superuser:
return djblets_site_settings(request, form_class, template_name, {
'root_path': settings.SITE_ROOT + "admin/db/"
})
else:
err_resp = HttpResponse("Permission denied.", status = 401)
return err_resp
... but again, specifically checking for the named permission.
That will get me back to using an unpatched version of reviewboard.
--
You received this message because you are subscribed to the Google Groups
"reviewboard-issues" group.
To post to this group, send email to reviewboard-iss...@googlegroups.com.
To unsubscribe from this group, send email to
reviewboard-issues+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/reviewboard-issues?hl=en.