review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
# LIST OF PRIVILEGES:
|
|
|
|
|
|
#
|
|
|
|
|
|
# Access to specific forums (see forums.yaml for prefix values):
|
|
|
|
|
|
# forum.access.<prefix>
|
|
|
|
|
|
# forum.post.<prefix>
|
|
|
|
|
|
# forum.post-news
|
|
|
|
|
|
# forum.post-anywhere
|
|
|
|
|
|
# -> All forums are readable by default except <admin> and <creativecalc>
|
|
|
|
|
|
# -> All forums are writable by default except <admin>, <creativecalc>,
|
|
|
|
|
|
# children of <news>, and forums with children ("categories")
|
|
|
|
|
|
# -> Use member.can_access_forum(forum) and member.can_post_in_forum(forum)
|
|
|
|
|
|
#
|
|
|
|
|
|
# Access to extended publication methods:
|
|
|
|
|
|
# publish.schedule-posts
|
|
|
|
|
|
# publish.pin-posts
|
|
|
|
|
|
# publish.shared-files
|
|
|
|
|
|
#
|
|
|
|
|
|
# Moderation:
|
2021-07-12 17:49:54 +02:00
|
|
|
|
# edit.posts (includes top comment selection)
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
# edit.tests
|
|
|
|
|
|
# edit.accounts
|
|
|
|
|
|
# edit.trophies
|
2021-07-10 21:43:41 +02:00
|
|
|
|
# delete.posts (includes triple XP removal)
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
# delete.tests
|
|
|
|
|
|
# delete.accounts
|
|
|
|
|
|
# delete.shared-files
|
|
|
|
|
|
# move.posts
|
|
|
|
|
|
#
|
|
|
|
|
|
# Shoutbox:
|
|
|
|
|
|
# shoutbox.kick
|
|
|
|
|
|
# shoutbox.ban
|
|
|
|
|
|
#
|
|
|
|
|
|
# Miscellaneous:
|
|
|
|
|
|
# misc.unlimited-pms
|
|
|
|
|
|
# misc.dev-infos
|
2021-03-05 23:44:02 +01:00
|
|
|
|
# misc.arbitrary-login
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
# misc.community-login
|
|
|
|
|
|
# misc.admin-panel
|
|
|
|
|
|
# misc.no-upload-limits
|
|
|
|
|
|
#
|
|
|
|
|
|
# TODO: PRIVILEGES NOT YET IMPLEMENTED:
|
|
|
|
|
|
# The features that these privileges control are not implemented yet, or the
|
|
|
|
|
|
# privilege checks are missing.
|
|
|
|
|
|
#
|
|
|
|
|
|
# publish.*
|
|
|
|
|
|
# edit.tests
|
|
|
|
|
|
# delete.tests delete.shared-files
|
|
|
|
|
|
# move.posts
|
|
|
|
|
|
# shoutbox.*
|
|
|
|
|
|
# misc.unlimited-pms
|
|
|
|
|
|
|
2019-02-16 17:12:41 +01:00
|
|
|
|
-
|
|
|
|
|
|
name: Administrateur
|
2019-09-03 09:28:07 +02:00
|
|
|
|
css: "color: #ee0000;"
|
2019-02-16 17:12:41 +01:00
|
|
|
|
descr: "Vous voyez Chuck Norris ? Pareil."
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
privs: forum.access.admin forum.access.creativecalc forum.post-news
|
|
|
|
|
|
forum.post-anywhere
|
|
|
|
|
|
publish.schedule-posts publish.pin-posts publish.shared-files
|
|
|
|
|
|
edit.posts edit.tests edit.accounts edit.trophies
|
|
|
|
|
|
delete.posts delete.tests delete.accounts delete.shared-files
|
|
|
|
|
|
move.posts
|
|
|
|
|
|
shoutbox.kick shoutbox.ban
|
2021-03-05 23:44:02 +01:00
|
|
|
|
misc.unlimited-pms misc.dev-infos misc.admin-panel
|
2021-03-06 11:36:35 +01:00
|
|
|
|
misc.no-upload-limits misc.arbitrary-login
|
2019-02-16 17:12:41 +01:00
|
|
|
|
-
|
|
|
|
|
|
name: Modérateur
|
2019-09-03 09:28:07 +02:00
|
|
|
|
css: "color: green;"
|
2019-02-16 17:12:41 +01:00
|
|
|
|
descr: "Maîtres du kick, ils sont là pour faire respecter un semblant d'ordre."
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
privs: forum.access.admin
|
|
|
|
|
|
edit.posts edit.tests
|
|
|
|
|
|
delete.posts delete.tests
|
|
|
|
|
|
move.posts
|
|
|
|
|
|
shoutbox.kick shoutbox.ban
|
|
|
|
|
|
misc.unlimited-pms misc.no-upload-limits
|
2019-02-16 17:12:41 +01:00
|
|
|
|
-
|
|
|
|
|
|
name: Développeur
|
2019-09-03 09:28:07 +02:00
|
|
|
|
css: "color: #4169e1;"
|
2019-02-16 17:12:41 +01:00
|
|
|
|
descr: "Les développeurs maintiennent et améliorent le code du site."
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
privs: forum.access.admin forum.post-anywhere
|
|
|
|
|
|
publish.schedule-posts publish.shared-files
|
|
|
|
|
|
delete.shared-files
|
|
|
|
|
|
misc.unlimited-pms misc.dev-infos misc.community-login misc.admin-panel
|
2019-02-16 17:12:41 +01:00
|
|
|
|
-
|
|
|
|
|
|
name: Rédacteur
|
2019-09-03 09:28:07 +02:00
|
|
|
|
css: "color: blue;"
|
2019-02-16 17:12:41 +01:00
|
|
|
|
descr: "Rédigent les meilleurs articles de la page d'accueil, rien que pour
|
|
|
|
|
|
vous <3"
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
privs: forum.access.admin forum.post-news
|
|
|
|
|
|
publish.schedule-posts publish.pin-posts publish.shared-files
|
|
|
|
|
|
delete.shared-files
|
2021-03-06 11:36:35 +01:00
|
|
|
|
misc.no-upload-limits misc.community-login
|
2019-02-16 17:12:41 +01:00
|
|
|
|
-
|
|
|
|
|
|
name: Responsable communauté
|
2019-09-03 09:28:07 +02:00
|
|
|
|
css: "color: DarkOrange;"
|
2019-02-16 17:12:41 +01:00
|
|
|
|
descr: "Anime les pages Twitter et Facebook de Planète Casio et surveille
|
|
|
|
|
|
l'évolution du monde autour de nous !"
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
privs: forum.access.admin forum.post-news
|
|
|
|
|
|
publish.schedule-posts publish.pin-posts publish.shared-files
|
2021-03-06 11:36:35 +01:00
|
|
|
|
delete.shared-files misc.community-login
|
2019-02-16 17:12:41 +01:00
|
|
|
|
-
|
|
|
|
|
|
name: Partenaire
|
2019-09-03 09:28:07 +02:00
|
|
|
|
css: "color: purple;"
|
2019-02-16 17:12:41 +01:00
|
|
|
|
descr: "Membres de l'équipe d'administration des sites partenaires."
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
privs: forum.post-news
|
|
|
|
|
|
publish.schedule-posts publish.shared-files
|
|
|
|
|
|
delete.shared-files
|
2019-02-16 17:12:41 +01:00
|
|
|
|
-
|
|
|
|
|
|
name: Compte communautaire
|
2019-09-03 09:28:07 +02:00
|
|
|
|
css: "background:#d8d8d8; border-radius:4px; color:#303030; padding:1px 2px;"
|
2019-02-16 17:12:41 +01:00
|
|
|
|
descr: "Compte à usage général de l'équipe de Planète Casio."
|
|
|
|
|
|
-
|
|
|
|
|
|
name: Robot
|
2019-09-03 09:28:07 +02:00
|
|
|
|
css: "color: #cf25d0;"
|
2019-02-16 17:12:41 +01:00
|
|
|
|
descr: "♫ Je suis Nono, le petit robot, l'ami d'Ulysse ♫"
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
privs: shoutbox.kick shoutbox.ban
|
2019-02-16 17:12:41 +01:00
|
|
|
|
-
|
|
|
|
|
|
name: Membre de CreativeCalc
|
2019-09-03 09:28:07 +02:00
|
|
|
|
css: "color: #222222;"
|
2019-02-16 17:12:41 +01:00
|
|
|
|
descr: "CreativeCalc est l'association qui gère Planète Casio."
|
review of privileges and forum permissions
* Sorted privileges into categories, similar to the v4.3 style
Added privilege check utilities:
* Forum: is_news(), is_default_accessible() and is_default_postable()
* Member: can_access_forum(), can_post_in_forum(), can_edit_post(),
and can_delete_post()
Unfortunately current_user is not a Guest when logged out, so one
cannot usually write current_user.can_*() without checking for
authentication first, so the checks are still somewhat verbose.
Reviewed forum permissions; the following permission issues have been
fixed (I have tested most but not all of them prior to fixing):
* app/routes/forum/index.py: Users that were not meant to access a
forum could still obtain a listing of the topics
* app/routes/forum/topic.py: Users that were not meant to see topics
could still read them by browsing the URL
* app/routes/forum/topic.py: Authenticated users could post in any
topic, including ones that they should not have access to
* app/routes/posts/edit.py: Users with edit.posts (eg. mods) could edit
and delete messages in forums they can't access (eg. creativecalc)
* app/templates/account/user.html: Users with admin panel access would
see account editing links they can't use (affects developers)
* app/templates/base/navbar/forum.html: The "Forum" tab would list all
forums including ones the user doesn't have access to
* app/templates/forum/index.html: Users would see every single forum,
including ones they can't access
* app/template/widgets/thread.html: Anyone would see Edit/Delete links
on every message, even though most were unusable
Miscellaneous changes:
* app/routes/forum/topic.py: Ordered comments by date as intended,
which I assume worked by chance until now
* Removed the old assets/privs.txt files which is now superseded by the
list implemented in app/data/groups.yaml
This commit changes group and forum information, run master.py with:
@> forums update
@> groups update
2021-02-26 18:29:25 +01:00
|
|
|
|
privs: forum.access.creativecalc
|
2019-09-03 09:28:07 +02:00
|
|
|
|
-
|
2021-02-20 19:30:18 +01:00
|
|
|
|
name: No login
|
|
|
|
|
|
css: "color: #888888;"
|
|
|
|
|
|
descr: "Compte dont l'accès au site est désactivé."
|
