Mercurial Repository: p/roundup/code: roundup/mailgw.py comparison

fix security check in mailgw [SF#1442145]

author	Richard Jones <richard@users.sourceforge.net>
date	Fri, 03 Mar 2006 00:13:20 +0000
parents	7f1e2d650486
children	1113e1456093

comparison

equal deleted inserted replaced

-:026adc5f1e13
+:338f204ea2a5
 set() method to add the message to the item's spool; in the second case we
 are calling the create() method to create a new node). If an auditor raises
 an exception, the original message is bounced back to the sender with the
 explanatory message given in the exception.
-$Id: mailgw.py,v 1.173 2006-03-02 23:45:22 richard Exp $
+$Id: mailgw.py,v 1.174 2006-03-03 00:13:20 richard Exp $
 """
 __docformat__ = 'restructuredtext'
 import string, re, os, mimetools, cStringIO, smtplib, socket, binascii, quopri
 import time, random, sys, logging
 raise Unauthorized, 'You are not permitted to access '\
 'this tracker.'
 # make sure they're allowed to edit or create this class of information
 if nodeid:
-if not self.db.security.hasPermission('Edit', author, classname):
+if not self.db.security.hasPermission('Edit', author, classname,
+itemid=nodeid):
 raise Unauthorized, 'You are not permitted to '\
 'edit %s.'%classname
 else:
 if not self.db.security.hasPermission('Create', author, classname):
 raise Unauthorized, 'You are not permitted to '\

Mercurial > p > roundup > code