[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SF.net SVN: ledger-smb:[4355] branches/1.3

Subject: SF.net SVN: ledger-smb:[4355] branches/1.3
From: ..hidden..
Date: Fri, 24 Feb 2012 10:59:05 +0000
Revision: 4355
          http://ledger-smb.svn.sourceforge.net/ledger-smb/?rev=4355&view=rev
Author:   einhverfr
Date:     2012-02-24 10:59:04 +0000 (Fri, 24 Feb 2012)
Log Message:
-----------
Correcting bug 3485178.  Menu acls tightened up, and entity_employee permissions tightened up as well

Modified Paths:
--------------
    branches/1.3/Changelog
    branches/1.3/sql/modules/Roles.sql

Modified: branches/1.3/Changelog
===================================================================
--- branches/1.3/Changelog	2012-02-23 14:11:33 UTC (rev 4354)
+++ branches/1.3/Changelog	2012-02-24 10:59:04 UTC (rev 4355)
@@ -12,6 +12,7 @@
 * Updated add_custom_field to run on PostgreSQL 9.0 (Chris T)
 * Updated dists/rpm/build.sh to support RHEL 5 (Hilton D)
 * Corrected stylesheet not set on error pages (Chris T)
+* Tightened up permissions on menu items and employee management (Chris T)
 
 Hilton D is Hilton Day
 

Modified: branches/1.3/sql/modules/Roles.sql
===================================================================
--- branches/1.3/sql/modules/Roles.sql	2012-02-23 14:11:33 UTC (rev 4354)
+++ branches/1.3/sql/modules/Roles.sql	2012-02-24 10:59:04 UTC (rev 4355)
@@ -96,10 +96,11 @@
 values (30, 'allow', 'lsmb_<?lsmb dbname ?>__contact_read');
 INSERT INTO menu_acl (node_id, acl_type, role_name) 
 values (33, 'allow', 'lsmb_<?lsmb dbname ?>__contact_read');
-INSERT INTO menu_acl (node_id, acl_type, role_name) 
-values (49, 'allow', 'lsmb_<?lsmb dbname ?>__contact_read');
 
+DELETE FROM menu_acl
+WHERE node_id = 49 AND role_name = 'lsmb_<?lsmb dbname ?>__contact_read';
 
+
 CREATE ROLE "lsmb_<?lsmb dbname ?>__contact_create"
 WITH INHERIT NOLOGIN
 IN ROLE "lsmb_<?lsmb dbname ?>__contact_read";
@@ -154,8 +155,17 @@
 values (30, 'allow', 'lsmb_<?lsmb dbname ?>__contact_create');
 INSERT INTO menu_acl (node_id, acl_type, role_name) 
 values (31, 'allow', 'lsmb_<?lsmb dbname ?>__contact_create');
+
+
+CREATE ROLE "lsmb_<?lsmb dbname ?>__employees_manage"
+WITH INHERIT NOLOGIN
+IN ROLE "lsmb_<?lsmb dbname ?>__contact_read";
+
+GRANT ALL ON entity_employee, person, entity, entity_id_seq
+TO "lsmb_<?lsmb dbname ?>__employees_manage";
+
 INSERT INTO menu_acl (node_id, acl_type, role_name) 
-values (48, 'allow', 'lsmb_<?lsmb dbname ?>__contact_create');
+values (48, 'allow', 'lsmb_<?lsmb dbname ?>__employees_manage');
 
 
 CREATE ROLE "lsmb_<?lsmb dbname ?>__contact_edit"
@@ -208,10 +218,9 @@
 
 GRANT EXECUTE ON FUNCTION batch_post(int) TO "lsmb_<?lsmb dbname ?>__batch_post";
 
-INSERT INTO menu_acl (node_id, acl_type, role_name) 
-values (206, 'allow', 'lsmb_<?lsmb dbname ?>__contact_create');
-INSERT INTO menu_acl (node_id, acl_type, role_name) 
-values (210, 'allow', 'lsmb_<?lsmb dbname ?>__contact_create');
+DELETE FROM menu_acl 
+ WHERE node_id in (206, 210) 
+       AND role_name = 'lsmb_<?lsmb dbname ?>__contact_create';
 
 -- AR
 CREATE ROLE "lsmb_<?lsmb dbname ?>__ar_transaction_create"
@@ -815,6 +824,9 @@
 CREATE ROLE "lsmb_<?lsmb dbname ?>__part_edit"
 WITH INHERIT NOLOGIN;
 
+GRANT SELECT ON assembly, orderitems, jcitems, invoice 
+TO "lsmb_<?lsmb dbname ?>__part_edit";
+
 GRANT DELETE ON assembly TO "lsmb_<?lsmb dbname ?>__part_edit";
 GRANT UPDATE ON parts, partsgroup, assembly TO "lsmb_<?lsmb dbname ?>__part_edit";
 GRANT ALL ON makemodel TO "lsmb_<?lsmb dbname ?>__part_edit";
@@ -1546,7 +1558,8 @@
 CREATE ROLE "lsmb_<?lsmb dbname ?>__users_manage"
 WITH INHERIT NOLOGIN
 IN ROLE "lsmb_<?lsmb dbname ?>__contact_edit",
-"lsmb_<?lsmb dbname ?>__contact_create";
+"lsmb_<?lsmb dbname ?>__contact_create",
+"lsmb_<?lsmb dbname ?>__employees_manage";
 
 GRANT SELECT ON role_view TO "lsmb_<?lsmb dbname ?>__users_manage";
 GRANT EXECUTE ON FUNCTION  admin__add_user_to_role(TEXT, TEXT) 
@@ -1712,6 +1725,8 @@
 GRANT SELECT, INSERT ON asset_report, asset_report_line, asset_item, asset_class
 TO "lsmb_<?lsmb dbname ?>__assets_depreciate";
 
+GRANT ALL ON asset_report_id_seq TO "lsmb_<?lsmb dbname ?>__assets_depreciate"; 
+
 INSERT INTO menu_acl(role_name, acl_type, node_id)
 values('lsmb_<?lsmb dbname ?>__assets_depreciate', 'allow', 238);
 INSERT INTO menu_acl(role_name, acl_type, node_id)
@@ -1746,7 +1761,9 @@
 GRANT SELECT ON language, project TO public;
 GRANT SELECT ON business, exchangerate, department, new_shipto, tax TO public;
 GRANT ALL ON recurring, recurringemail, recurringprint, status TO public; 
-GRANT ALL ON transactions, entity_employee TO public;
+GRANT ALL ON transactions TO public;
+GRANT SELECT ON entity_employee TO public;
+REVOKE INSERT, UPDATE, DELETE ON entity_employee FROM public; --fixing old perms
 GRANT ALL ON pending_job, payments_queue TO PUBLIC;
 GRANT ALL ON pending_job_id_seq TO public;
 GRANT ALL ON invoice_tax_form TO public;

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
Prev by Date: SF.net SVN: ledger-smb:[4354] trunk/LedgerSMB
Next by Date: SF.net SVN: ledger-smb:[4356] branches/1.3
Previous by thread: SF.net SVN: ledger-smb:[4354] trunk/LedgerSMB
Next by thread: SF.net SVN: ledger-smb:[4356] branches/1.3
Index(es):
- Date
- Thread