Roundup Tracker

We add a feature to our tracker, that allows customers to log in and look at their issues and all the files associated with those issues. From there on, a customer information system can be built, that keeps the customer informed about his projects, milestones, files, urls, etc. With the new permission system we can intergrate this system into an existing tracker with a fine-grained access policy.

First we create a new hyperdb-class Customer and add a link-property to the User class that connects a login with a customer. Then, a new role "Customer" is introduced. Now we add a link-proprety to the Issue-class, so that a user with the role "Customer" is only allowed to view issues associated with the customer. Additionally, the user should be able to view files attached to those issues:

  • Class Customer:
    • Address data, etc.
  • Class User:
    • new link-property: Customer
    • new role: Customer
  • Class Issue:
    • new link-property: Customer

Now add templates for updating customers and add the link-properties to the templates user.item.html and issue.item.html. Set up a check to allow customers to view their issues and not a single issue more (schema.py):

# Create a new Role Customer and allow "Web Access"
db.security.addRole(name="Customer", description="A valued customer")
p = db.security.getPermission('Web Access')
db.security.addPermissionToRole('Customer', p)

# Customer may view issues concerning his company
def customer_issue(db, userid, itemid):
    if not itemid:
        # General access (e.g search, list) is denied.
        return 0
    issue_customer = db.issue.get(itemid, 'customer')
    user_customer = db.user.get(userid, 'customer')
    return issue_customer == user_customer

p = db.security.addPermission(name='View', klass='issue',
    check=customer_issue,
    description="Customer may view issues concerning his company")
db.security.addPermissionToRole('Customer', p)

Right so. Giving him access to the files needs a bit more db-fiddling (schema.py):

# Customer may view files associated to customer-issues
def customer_file(db, userid, itemid):
    if not itemid:
        # General access (e.g search, list) is denied.
        return 0

    issues_linking = db.issue.find(files=itemid)
    user_customer = db.user.get(userid, 'customer')
    for issue_id in issues_linking:
        issue_customer = db.issue.get(issue_id, 'customer')
        if issue_customer == user_customer:
            return 1
    return 0

p = db.security.addPermission(name='View', klass='file',
    check=customer_file,
    description="Customer may view files associated to customer-issues")
db.security.addPermissionToRole('Customer', p)

TODO: needs to limit permission so customers can't edit the customer, status or priority fields.

TODO: needs to protect messages as well as files.