3307: cannot add repository using webapi even if non-super-user has this perm
- Review Board
|nan****@gmai***** (Google Code) (Is this you? Claim this profile.)|
|May 2, 2014|
What version are you running? 1.7.6 What's the URL of the page containing the problem? api/repositories What steps will reproduce the problem? 1. create a user account, add it in staff + add it "Can add repository" perm 2. send an http post request to create a new repo using this user credential What is the expected output? What do you see instead? I expect success but get "msg": "You don't have permission for this", "code": 101 What operating system are you using? What browser? curl client In fact when i show all user permission I can see all permissions: set([u'scmtools.add_repository', u'reviews.change_group', u'reviews.add_group', u'scmtools.change_repository']) and in scmtools/managers.py it check create_repository instead of add_repository. I don't know exactly where permissions are declared but I suppose the good one is create_repository because it is the one defined ;-) please find the fix below diff --git a/usr/local/lib/python2.7/dist-packages/ReviewBoard-1.7.6-py2.7.egg/reviewboard/scmtools/managers.py.orig b/usr/local/lib/pytho index 88206ef..8a4f16a 100755 --- a/usr/local/lib/python2.7/dist-packages/ReviewBoard-1.7.6-py2.7.egg/reviewboard/scmtools/managers.py.orig +++ b/usr/local/lib/python2.7/dist-packages/ReviewBoard-1.7.6-py2.7.egg/reviewboard/scmtools/managers.py @@ -65,5 +65,6 @@ class RepositoryManager(Manager): return qs.filter(local_site=local_site) def can_create(self, user, local_site=None): - return (user.has_perm('scmtools.create_repository') or + # Adding a repository permission is 'add_' not but 'change_'. + return (user.has_perm('scmtools.add_repository') or (local_site and local_site.is_mutable_by(user)))
The vast majority of the "permissions" that you see in the admin UI are added by the django admin framework, and we have traditionally not used them. Can you explain your use case for this?
#2 nan****@gmai***** (Google Code) (Is this you? Claim this profile.)
Hi, sorry for the late reply. There are ~500 users and more than 200 repos, 5 are superusers, and a tenth are in staff and have delegation to add/modify repos only. I have inserted a debug trace before checking permissions to see all current user permission and it returns "add_repository" ... So the right Django permission to check is "add_" instead of "create_". I suppose Django creates automatically 3 kind of perm (add|modify|del)_<permission name>
Fixed in release-1.7.x (e795f3b). Thanks!
- NeedInfo + Fixed