Closed Bug 442095 Opened 17 years ago Closed 17 years ago

Accepting anonymous contributions should be an option

Categories

(Webtools Graveyard :: Verbatim, defect)

Product:
Webtools Graveyard
Component:
Verbatim
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: clouserw, Assigned: dschafer)

Details

Attachments

(2 files, 1 obsolete file)

Block both listing and URL access of unauthorized pages
9.05 KB, patch
clouserw
: review+
Details | Diff | Splinter Review
Patch adding better 404 rights-management support
28.31 KB, patch
clouserw
: review+
Details | Diff | Splinter Review
Two options should be added to each project or language for the leads: 1) disable or enable anonymous contributions 2) If option 1 is set, option to not advertise the project to anyone that is outside of the language group. PS. anonymous means people that are logged in but aren't officially a part of a locale team.
since anyone can join a locale team, we can use permissions to define the "language group" - if a person has write permissions (not just suggest) then they can see the stuff in option 2, otherwise not.
The rights system right now can prevent anonymous contributions fairly easily; setting the default user and the nobody user to just have "view" rights satisfies option 1. Option 2 is trickier; one of the rights in Pootle is "View", but disabling that right does not appear to do anything. If a user without "View" on a project could be made unable the project, that would satisfy option 2.
Status: NEW → ASSIGNED
Assignee: nobody → dschafer
Status: ASSIGNED → NEW
Status: NEW → ASSIGNED
According to http://translate.sourceforge.net/wiki/pootle/permissions, the "view" option in Pootle is not currently implemented, but is intended to do exactly what we want it to do.
This patch works on index, languages, language, projects, and project pages. It does ***not***, however, prevent a user from guessing URLs (this will be added in a new patch). When we do add the "guessing URL" failure, we need to make sure the "insufficient rights" error is identical to the 404 message, to prevent users from learning project names by finding the error messages.
Attachment #327680 - Flags: review?(clouserw)
This builds on the previous patch, but returns None from getpage() if the user doesn't have access to the page, simulating a 404.
Attachment #327680 - Attachment is obsolete: true
Attachment #327714 - Flags: review?(clouserw)
Attachment #327680 - Flags: review?(clouserw)
Once finalized, we should almost certainly upstream this particular patch; this implements an planned feature of Pootle that is completely non-Mozilla specific.
Whenever I try to remove the project "view" rights from nobody it comes back (it seems to stay gone on "default" though). Does that happen to you? Also, it looks like view rights are per-locale. Is there a way to remove it per-project (i.e. from all locales at the same time)?
Comment on attachment 327714 [details] [diff] [review] Block both listing and URL access of unauthorized pages r+ because the patch works but lets not close the bug until the above questions are answered.
Attachment #327714 - Flags: review?(clouserw) → review+
(In reply to comment #7) > Whenever I try to remove the project "view" rights from nobody it comes back > (it seems to stay gone on "default" though). Does that happen to you? > > Also, it looks like view rights are per-locale. Is there a way to remove it > per-project (i.e. from all locales at the same time)? > I had that same rights-assigning problem; it doesn't look like you can remove all rights from a given user right now. I'll address that first thing tomorrow. I did my testing by only giving a user "suggest" rights. All rights are currently assigned in a user-by-project-by-language setting; bug 442056 addresses the need for a way to set rights for an entire project / language.
Oh, another question before you commit - it looks like you're deleting some stuff in html/doc/en/ but I'm assuming it's not on purpose. This patch isn't the only one of yours that you're doing this in (?).
Revision 7693 of Mozootle contains the changes in attachment 327714 [details] [diff] [review]. Leaving this bug open to address a few issues: - User cannot be assigned no rights - Language/project page shows an empty list if all items are restricted: should return a 404.
Revision 7706 of Mozootle fixes the "User cannot be assigned no rights" problem.
This patch does a better job with 404Errors; any page can now throw them to indicate that a 404 should be returned, and "listing" pages now throw them if there are no sub-items to list (for example, if the only French translation is for a hidden project, then the listing for "French" will be a 404 rather than an empty list). Note that the pootle.py changes are really quite small: all the old "except Rights404Error" statements are removed, and the entire page search algorithm is enclosed in this block: try: [Page search code] except projects.Rights404Error: return None The diff is large because each line has a new number of tabs.
Attachment #327825 - Flags: review?(clouserw)
Attachment #327825 - Flags: review?(clouserw) → review+
Attachment 327825 [details] [diff] is in revision 7711 of Mozootle. I think this covers all the desired features for this bug (with the exception of those covered by bug 442056, so I'm marking this fixed.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: