Mercurial Repository: p/roundup/code: roundup/xmlrpc.py comparison

comparison roundup/xmlrpc.py @ 4437:261c9f913ff7

- Add explicit "Search" permissions, see Security Fix below. - Security Fix: Add a check for search-permissions: now we allow searching for properties only if the property is readable without a check method or if an explicit search permission (see above unter "Features) is given for the property. This fixes cases where a user doesn't have access to a property but can deduce the content by crafting a clever search, group or sort query. see doc/upgrading.txt for how to fix your trackers!

author	Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
date	Tue, 19 Oct 2010 15:29:05 +0000
parents	40d7414592ac
children	3f251efd5f48

comparison

equal deleted inserted replaced

-:528ace81fd16
+:261c9f913ff7
 return result
 def filter(self, classname, search_matches, filterspec,
 sort=[], group=[]):
 cl = self.db.getclass(classname)
+uid = self.db.getuid()
+security = self.db.security
+filterspec = security.filterFilterspec (uid, classname, filterspec)
+sort = security.filterSortspec (uid, classname, sort)
+group = security.filterSortspec (uid, classname, group)
 result = cl.filter(search_matches, filterspec, sort=sort, group=group)
-return result
+check = security.hasPermission
+x = [id for id in result if check('View', uid, classname, itemid=id)]
+return x
 def display(self, designator, *properties):
 classname, itemid = hyperdb.splitDesignator(designator)
 cl = self.db.getclass(classname)
 props = properties and list(properties) or cl.properties.keys()

Mercurial > p > roundup > code

comparison roundup/xmlrpc.py @ 4437:261c9f913ff7