Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 4320:1072574dab86
include some additional docs
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Tue, 12 Jan 2010 05:18:41 +0000 |
| parents | 05d3f47003fc |
| children | f11b38b91c99 |
comparison
equal
deleted
inserted
replaced
| 4319:7bb454a9a1cd | 4320:1072574dab86 |
|---|---|
| 19 Item creation now checks the "Create" permission instead of the "Edit" | 19 Item creation now checks the "Create" permission instead of the "Edit" |
| 20 permission for individual properties. If you have modified your tracker | 20 permission for individual properties. If you have modified your tracker |
| 21 permissions from the default distribution, you should check that | 21 permissions from the default distribution, you should check that |
| 22 "Create" permissions exist for all properties you want users to be able | 22 "Create" permissions exist for all properties you want users to be able |
| 23 to create. | 23 to create. |
| 24 | |
| 25 Fixing some potential security holes | |
| 26 ------------------------------------ | |
| 27 | |
| 28 Some HTML templates were found to have formatting security problems: | |
| 29 | |
| 30 ``html/page.html``:: | |
| 31 | |
| 32 -tal:replace="request/user/username">username</span></b><br> | |
| 33 +tal:replace="python:request.user.username.plain(escape=1)">username</span></b><br> | |
| 34 | |
| 35 ``html/_generic.help-list.html``:: | |
| 36 | |
| 37 -tal:content="structure python:item[prop]"></label> | |
| 38 +tal:content="python:item[prop]"></label> | |
| 39 | |
| 40 The lines marked "+" should be added and lines marked "-" should be | |
| 41 deleted (minus the "+"/"-" signs). | |
| 42 | |
| 24 | 43 |
| 25 Migrating from 1.4.x to 1.4.11 | 44 Migrating from 1.4.x to 1.4.11 |
| 26 ============================== | 45 ============================== |
| 27 | 46 |
| 28 Close potential security hole | 47 Close potential security hole |
| 65 -db.security.addPermissionToRole('Anonymous', 'Create', 'user') | 84 -db.security.addPermissionToRole('Anonymous', 'Create', 'user') |
| 66 +db.security.addPermissionToRole('Anonymous', 'Register', 'user') | 85 +db.security.addPermissionToRole('Anonymous', 'Register', 'user') |
| 67 | 86 |
| 68 The lines marked "+" should be added and lines marked "-" should be | 87 The lines marked "+" should be added and lines marked "-" should be |
| 69 deleted (minus the "+"/"-" signs). | 88 deleted (minus the "+"/"-" signs). |
| 89 | |
| 90 You should also modify the ``html/page.py`` template to change the | |
| 91 permission tested there:: | |
| 92 | |
| 93 -tal:condition="python:request.user.hasPermission('Create', 'user')" | |
| 94 +tal:condition="python:request.user.hasPermission('Register', 'user')" | |
| 70 | 95 |
| 71 | 96 |
| 72 Generic class editor may now restore retired items | 97 Generic class editor may now restore retired items |
| 73 -------------------------------------------------- | 98 -------------------------------------------------- |
| 74 | 99 |