Ticket #1629 (closed defect: fixed)
permissions changed during upgrade to 1.5.1
| Reported by: | dread | Owned by: | dread |
|---|---|---|---|
| Priority: | critical | Milestone: | ckan-sprint-2012-01-23 |
| Component: | ckan | Keywords: | |
| Cc: | johnglover | Repository: | ckan |
| Theme: | none |
Description
This was seen on datacatalogs. When we upgraded it 1.5 to 1.5.1 we saw some permissions being reset so that it could be spammed. Anonymous and logged in users were given anon_editor and editor permissions. I don't know what the previous config was. Permissions for sysadmins remain unaffected.
Change History
comment:2 Changed 2 years ago by dread
- Status changed from new to closed
- Resolution set to fixed
This permission is set every time you do a db_upgrade. ckan.model.init.py calls init_configuration_data() which calls init_authz_configuration_data() which restores specific roles to the defaults.
I agree that it doesn't seem right in this circumstance, but the way I setup roles is for 'editor', 'anon_editor' and 'reader' to have a fixed set of actions. See comment in ckan/model/authz.py:
# These define what is meant by 'editor' and 'reader' for all ckan # instances - locked down or otherwise. They get refreshed on every db_upgrade. # So if you want to lock down an ckan instance, change Visitor and LoggedIn # to have a new role which for which you can allow your customised actions.
Basically it seemed wrong when people changed 'editor' to something that couldn't edit. They should call that role something else.
But people *are* able to edit these roles (even though they are reset on upgrade) and they should be prevented. I've put this in a new ticket: http://trac.ckan.org/ticket/1679
anon_editor and editor were given the create-package role, I had previously removed it via paster roles deny [anon_]editor create-package.