Sphene Community Tools

Hi,

may I'm blind, but...

I setup a fresh install of the community tools. And know I see that every user is able to edit every post of another user.

I searched around, tried setting up a role, setting single user rights - user could always edit all posts. Did I search in wrong area? Why it isn't default that new user can not change other post? Where can I setup up the default rights for every user not assigned to a special role?

Next: I didn't find in adminearea where to increase size of avatar-pictures. in code I saw the
"community_avatar_max_size" but never an entry elsewhere. Have I change it direct inside database?

ciao

Alwin

hi,

Alwin said @ 2008-04-26 08:32:46:

I setup a fresh install of the community tools. And know I see that every user is able to edit every post of another user.

i've just tried it out .. and .. simply adding a user .. logging in as that user .. and i wasn't able to edit anyone else's posts ..

maybe you are adding all users as superusers ? :)

Alwin said @ 2008-04-26 08:32:46:

Where can I setup up the default rights for every user not assigned to a special role?

by default new users have no role and no extra permissions

Alwin said @ 2008-04-26 08:32:46:

Next: I didn't find in adminearea where to increase size of avatar-pictures. in code I saw the
"community_avatar_max_size" but never an entry elsewhere. Have I change it direct inside database?

no, this can be configured in SPH SETTINGS - simply add SPH_SETTINGS = { 'community_avatar_max_size': .... , } to your settings_local.py or settings.py

No. I'd checked, user "dummy" has only the "active" flag set. No other rights. No role exists, so of course the user isn't assigned to any role. :( No idea where the superuser rights come from.

But the user may edit all posts. Is somewhere the possiblity to setup the default rights?


CU

Alwin

no .. there are no default rights (especially not for editing posts)

we could try to debug the problem.. e.g. edit the file sphenecoll/sphene/sphboard/models.py and go to line 642 .. it should be right inside of 'def allow_editing(...)':

        if user.is_superuser \
               or has_permission_flag( user, 'sphboard_editallposts', self.category ):
            return True

modify it to look like:

        print "user %s for post %d" % (str(user), self.id)
        if user.is_superuser \
               or has_permission_flag( user, 'sphboard_editallposts', self.category ):
            print "- is superuser or has permission flag"
            return True

and then run it in the django development server.. and see what happens when your dummy user views the posts ...

another way to debug it would be to use the python shell ..

from the same directory as you would start your development server run:

$ ./manage.py shell

Executing module body.
Python 2.5.2 (r252:60911, Apr 17 2008, 11:51:28) 
[GCC 4.0.1 (Apple Computer, Inc. build 5367)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> 

# and now you can use python commands to debug the problem..

# first load the post:

>>> from sphene.sphboard.models import Post
>>> post = Post.objects.get(pk = 5)
>>> post
<Post: Re: Test Thread>

# (use the ID of the post you see in the URL)

# load the user:

>>> from django.contrib.auth.models import User
>>> user = User.objects.get(pk = 1)
>>> user
<User: kahless>
>>> 

# test the permissions:

>>> post.allow_editing(user)
True
>>> user.is_superuser
True
>>> from sphene.community.permissionutils import has_permission_flag
>>> has_permission_flag(user, 'sphboard_editallposts', post.category)
True
>>> 

well .. try one (or both) methods . .and let me know what the output looks like :)

thanks,
herbert

--- Last Edited by Herbert Poul at 2008-04-26 12:00:02 ---

>>> user
<User: dummy>
>>> post.allow_editing(user)
True
>>> user.is_superuser
False
>>> from sphene.community.permissionutils import has_permission_flag
>>> has_permission_flag(user, 'sphboard_editallposts', post.category)
True
>>>                                                                  

So. user has the right "editallposts" - but why? User is fresh created. No role set anywhere. So I can not remove a access-right. And in category settings there is no point "allow edit all posts" or such.

(btw.: on a second, test install it doesn't happen...)

hmm.. that's interesting.. maybe there is a bug in checking the flag permissions ..

please try the following:

# again load the post and the user
>>> from sphene.sphboard.models import Post
>>> from sphene.community.permissionutils import has_permission_flag
>>> from django.contrib.auth.models import User
>>> user = User.objects.get(pk = 2)
>>> post = Post.objects.get(pk = 5)

# enable debugging
>>> from django.conf import settings
>>> settings.DEBUG = True
# reset queries
>>> from django.db import connection
>>> connection.queries = []

# test the permission flag
>>> has_permission_flag(user, 'sphboard_editallposts', post.category)
False


# output the sql queries
>>> connection.queries
[{'time': '0.001', 'sql': 'SELECT "community_rolegroupmember"."id","community_rolegroupmember"."rolegroup_id","community_rolegroupmember"."user_id" FROM "community ..........

maybe you could paste me all queries the permission check made ?

So, I created real fresh a user via standard user interface. May interesting to you, that the database is currently a sqlite3-connection (due testing state).


Debug output is appended as file.

tnx

ooops.. i think i found the problem :(

i thought named arguments to the Q object are ANDed .. just as those to filter(..) .. obviously ... i was wrong.

i have committed a fix into the trunk .. please update and it should work


thanks for debugging this with me,
herbert

Works now!

many tnx!

:-)