3307: cannot add repository using webapi even if non-super-user has this perm

nan****@gmai***** (Google Code) (Is this you? Claim this profile.)
May 2, 2014
What version are you running?

What's the URL of the page containing the problem?

What steps will reproduce the problem?
1. create a user account, add it in staff + add it "Can add repository" perm
2. send an http post request to create a new repo using this user credential

What is the expected output? What do you see instead?
I expect success but get "msg": "You don't have permission for this", "code": 101

What operating system are you using? What browser?
curl client

In fact when i show all user permission I can see
all permissions: set([u'scmtools.add_repository', u'reviews.change_group', u'reviews.add_group', u'scmtools.change_repository'])

and in scmtools/managers.py it check create_repository instead of add_repository.
I don't know exactly where permissions are declared but I suppose the good one is create_repository because it is the one defined ;-)

please find the fix below

diff --git a/usr/local/lib/python2.7/dist-packages/ReviewBoard-1.7.6-py2.7.egg/reviewboard/scmtools/managers.py.orig b/usr/local/lib/pytho
index 88206ef..8a4f16a 100755
--- a/usr/local/lib/python2.7/dist-packages/ReviewBoard-1.7.6-py2.7.egg/reviewboard/scmtools/managers.py.orig
+++ b/usr/local/lib/python2.7/dist-packages/ReviewBoard-1.7.6-py2.7.egg/reviewboard/scmtools/managers.py
@@ -65,5 +65,6 @@ class RepositoryManager(Manager):
         return qs.filter(local_site=local_site)
     def can_create(self, user, local_site=None):
-        return (user.has_perm('scmtools.create_repository') or
+       # Adding a repository permission is 'add_' not but 'change_'.
+        return (user.has_perm('scmtools.add_repository') or
                 (local_site and local_site.is_mutable_by(user)))
#1 david
The vast majority of the "permissions" that you see in the admin UI are added by the django admin framework, and we have traditionally not used them. Can you explain your use case for this?
  • +NeedInfo
#2 nan****@gmai***** (Google Code) (Is this you? Claim this profile.)
Hi, sorry for the late reply.

There are ~500 users and more than 200 repos, 5 are superusers, and a tenth are in staff and have delegation to add/modify repos only.

I have inserted a debug trace before checking permissions to see all current user permission and it returns "add_repository" ... So the right Django permission to check is "add_" instead of "create_". 

I suppose Django creates automatically 3 kind of perm (add|modify|del)_<permission name>
#3 david
Fixed in release-1.7.x (e795f3b). Thanks!
  • -NeedInfo