Re: Permission to create and comment on reviews?
On Fri, Nov 26 I wrote: Is it possible to configure reviewboard so that: Accounts can be created by anyone Those accounts cannot create reviews or post comments until they have been manually added to the appropriate Permission Group? I'm setting up a system to be used by the Second Life Viewer open source project, and would prefer not to have to create accounts for people by hand, but would like to have some control over who can add content. On 2010-11-26 15:06, Christian Hammond wrote: The default registration method is to allow anyone to register a new account. However, it's not moderated, as you know. That's something that could be accomplished by unsetting the 'active' flag on the User entry in the database, which an auth backend could certainly do. So, short term, if you wanted you could probably just create a new Django auth backend and tell Review Board to use it. I'm working on documentation on how to create these and use them, and have some plans for making it easier to work with them in 1.6. What you also probably want is some notification on newly registered users. The auth backend could potentially do this too. So, if you want to get going fast, that's probably what you should do. However, one option we could add is to have a new option in Authentication Settings for "Require approval for new accounts" or something to that effect. When checked, new accounts would be set inactive by default, and an e-mail would go out to the admins of the site (or some other preconfigured address). The admin would then just need to go into the admin UI and set them active. Does that sound about what you'd want? You mentioned the permission groups, but those aren't really used anywhere but the admin UI (with the exception of a couple special permissions for allowing users to post on behalf of other users, mainly for post-commit hooks). I've since gotten a bit further with this, and have some feedback on authentication/permission issues for future versions... * I had wanted to allow anonymous read-only access to the system, since I'd like to run the project in as open a way as possible, but the fact that the RESTful APIs are all open when anonymous access is allowed made me decide not to do that - try: curl http://reviews.reviewboard.org/api/users/ (it dumps the user database, including email addresses) Which apparently leaves me with allowing anyone to create an account and then shutting them out manually if they post inappropriately (I have not been able to get Christians suggestion to start with the Active flag false to deploy... see earlier mail). I expect this to cause problems... Ideally, I'd like to be able to configure things so that * Anonymous users can browse reviews * Anyone can create an account * I can create permissions groups: o Contributors - can post and comment on reviews (see below) o Committers - can also change status and edit reviews (this one I have now) * Even if I could allow anonymous access, I'd only want it to be allowed for actual people; at a previous project, I ran an open instance of Fisheye/Crucible, and the search engine spiders really ran up our bandwidth and cpu usage by crawling links. In my new reviewboard installation, I've added a robots.txt file to discourage them (worked well last time). I'm not sure why one would need anything more than an all-or-nothing choice here, but it would be good to automate this one way or the other. * Since we're using the Standard Registration system, and I don't want credentials to be visible on the wire, I configured the entire site (except /robots.txt) to require SSL. This was pretty easy to do, including a redirect for any http URL to its https equivalent. It would be nice if rb-site had an option to require this (if there's interest, I may be able to work on this as a contribution at some point). A note on why I need permission control for Contributors... our project, like many others, has a Contribution Agreement that developers must agree to in order for us to accept code. It provides some mutual patent protections, and assigns a shared copyright, which can be very useful if the project ever needs to modify its license terms (we recently switched from GPL to LGPL for most things). The terms of use for our reviewboard site (codereview.secondlife.com) include an agreement that anything posted there counts as a Contribution under that agreement, so I'd like to be able to verify that a given account has an agreement on file before allowing them write access (if someone ignores the terms of use statement and posts something but has not signed the agreement, I am in a grey area I'd rather not be in). -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at ht
Re: Permission to create and comment on reviews?
On 2010-11-26 21:41, Christian Hammond wrote: > I also have a couple of suggestions on how to customize the site. I've done > them by hand on mine (which won't be generally visible until I've got SSL > installed), but I'm pretty sure I can see how to extend the Settings to > support what I've done in a more general way. I'll take a stab at it and > post some patches. I'd love to hear about them. Posted untested patches to http://reviews.reviewboard.org/r/1949/ -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Permission to create and comment on reviews?
On 2010-11-26 21:41, Christian Hammond wrote: It should be, yeah. You can modify RegistrationForm in reviewboard/accounts/forms.py to do it. Off the top of my head, you could probably add a new save method, like: def save(self): user = super(RegistrationForm, self).save() if user: user.active = False user.save() return user Of course, you'll have to patch that for every release. That, or clone our Git repository and do your own builds from that, keeping this change in a branch I wanted to see if it would work to do this, so a added this to /usr/lib/python2.6/site-packages/ReviewBoard-1.5.1-py2.6.egg/reviewboard/accounts/forms.py but even after setting the permissions to allow apache to write the .pyc file it does not get updated. Is there some magic I need to invoke to get the source recompiled? (without that, all users are still starting as active) -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Permission to create and comment on reviews?
On Fri, Nov 26, 2010 at 6:33 PM, Oz Linden (Scott Lawrence) wrote: > Yes, that would do nicely. > > Would it be a small change to just change the default value of the 'active' > flag be false? Until the notification system was in place I could just > instruct new users that they need to send mail to me after they create an > account It should be, yeah. You can modify RegistrationForm in reviewboard/accounts/forms.py to do it. Off the top of my head, you could probably add a new save method, like: def save(self): user = super(RegistrationForm, self).save() if user: user.active = False user.save() return user Of course, you'll have to patch that for every release. That, or clone our Git repository and do your own builds from that, keeping this change in a branch. > I also have a couple of suggestions on how to customize the site. I've done > them by hand on mine (which won't be generally visible until I've got SSL > installed), but I'm pretty sure I can see how to extend the Settings to > support what I've done in a more general way. I'll take a stab at it and > post some patches. I'd love to hear about them. Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.reviewboard.org VMware, Inc. - http://www.vmware.com -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Permission to create and comment on reviews?
On 2010-11-26 15:06, Christian Hammond wrote: Hey Scott, The default registration method is to allow anyone to register a new account. However, it's not moderated, as you know. That's something that could be accomplished by unsetting the 'active' flag on the User entry in the database, which an auth backend could certainly do. So, short term, if you wanted you could probably just create a new Django auth backend and tell Review Board to use it. I'm working on documentation on how to create these and use them, and have some plans for making it easier to work with them in 1.6. What you also probably want is some notification on newly registered users. The auth backend could potentially do this too. So, if you want to get going fast, that's probably what you should do. However, one option we could add is to have a new option in Authentication Settings for "Require approval for new accounts" or something to that effect. When checked, new accounts would be set inactive by default, and an e-mail would go out to the admins of the site (or some other preconfigured address). The admin would then just need to go into the admin UI and set them active. Does that sound about what you'd want? Yes, that would do nicely. Would it be a small change to just change the default value of the 'active' flag be false? Until the notification system was in place I could just instruct new users that they need to send mail to me after they create an account I also have a couple of suggestions on how to customize the site. I've done them by hand on mine (which won't be generally visible until I've got SSL installed), but I'm pretty sure I can see how to extend the Settings to support what I've done in a more general way. I'll take a stab at it and post some patches. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Permission to create and comment on reviews?
Hey Scott, The default registration method is to allow anyone to register a new account. However, it's not moderated, as you know. That's something that could be accomplished by unsetting the 'active' flag on the User entry in the database, which an auth backend could certainly do. So, short term, if you wanted you could probably just create a new Django auth backend and tell Review Board to use it. I'm working on documentation on how to create these and use them, and have some plans for making it easier to work with them in 1.6. What you also probably want is some notification on newly registered users. The auth backend could potentially do this too. So, if you want to get going fast, that's probably what you should do. However, one option we could add is to have a new option in Authentication Settings for "Require approval for new accounts" or something to that effect. When checked, new accounts would be set inactive by default, and an e-mail would go out to the admins of the site (or some other preconfigured address). The admin would then just need to go into the admin UI and set them active. Does that sound about what you'd want? You mentioned the permission groups, but those aren't really used anywhere but the admin UI (with the exception of a couple special permissions for allowing users to post on behalf of other users, mainly for post-commit hooks). Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.reviewboard.org VMware, Inc. - http://www.vmware.com On Fri, Nov 26, 2010 at 10:10 AM, Oz Linden (Scott Lawrence) wrote: > Is it possible to configure reviewboard so that > > Accounts can be created by anyone > Those accounts cannot create reviews or post comments until they have been > manually added to the appropriate Permission Group? > > I'm setting up a system to be used by the Second Life Viewer open source > project, and would prefer not to have to create accounts for people by hand, > but would like to have some control over who can add content. > > Not incidentally, I'm very interested in the OpenID support that is listed a > possible addition in 1.6 and have an OpenID provider that I can make > available for testing if/when someone wants to work on this for > ReviewBoard. > > These two things are not unrelated - if accounts are defined externally, > having a permission that governs use of the service seems important. > > -- > Want to help the Review Board project? Donate today at > http://www.reviewboard.org/donate/ > Happy user? Let us know at http://www.reviewboard.org/users/ > -~--~~~~--~~--~--~--- > To unsubscribe from this group, send email to > reviewboard+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/reviewboard?hl=en -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Permission to create and comment on reviews?
Is it possible to configure reviewboard so that * Accounts can be created by anyone * Those accounts cannot create reviews or post comments until they have been manually added to the appropriate Permission Group? I'm setting up a system to be used by the Second Life Viewer open source project, and would prefer not to have to create accounts for people by hand, but would like to have some control over who can add content. Not incidentally, I'm very interested in the OpenID support that is listed a possible addition in 1.6 and have an OpenID provider that I can make available for testing if/when someone wants to work on this for ReviewBoard. These two things are not unrelated - if accounts are defined externally, having a permission that governs use of the service seems important. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en