Mercurial Repository: p/roundup/code: doc/upgrading.txt comparison

Fix security hole allowing user permission escalation (thanks Ralf Schlatterbeck) also update docs and prepare for a release

author	Richard Jones <richard@users.sourceforge.net>
date	Sun, 20 Dec 2009 23:24:21 +0000
parents	e16a1131ba67
children	8e0d350ce644

comparison

equal deleted inserted replaced

-:82f7f8708e1b
+:b30bdfae4461
 .. contents::
 Migrating from 1.4.x to 1.4.11
 ==============================
+Close poential security hole
+----------------------------
+If your tracker has untrusted users you should examine its ``schema.py``
+file and look for the section granting the "Edit" permission to your users.
+This should look something like::
+p = db.security.addPermission(name='Edit', klass='user', check=own_record,
+description="User is allowed to edit their own user details")
+and should be modified to restrict the list of properties they are allowed
+to edit by adding the ``properties=`` section like::
+p = db.security.addPermission(name='Edit', klass='user', check=own_record,
+properties=('username', 'password', 'address', 'realname', 'phone',
+'organisation', 'alternate_addresses', 'queries', 'timezone'),
+description="User is allowed to edit their own user details")
+Most importantly the "roles" property should not be editable - thus not
+appear in that list of properties.
 Grant the "Register" permission to the Anonymous role
 -----------------------------------------------------
 A separate "Register" permission has been introduced to allow

Mercurial > p > roundup > code