Mercurial > p > roundup > code
comparison roundup/cgi/client.py @ 1857:dc6f2155e5b4
Anonymous user can no longer edit or view itself.
This fixes a security bug [SF#828901].
| author | Johannes Gijsbers <jlgijsbers@users.sourceforge.net> |
|---|---|
| date | Fri, 24 Oct 2003 09:32:19 +0000 |
| parents | 7c84534aec13 |
| children | dc43e339e607 |
comparison
equal
deleted
inserted
replaced
| 1856:7c84534aec13 | 1857:dc6f2155e5b4 |
|---|---|
| 1 # $Id: client.py,v 1.142 2003-10-22 16:47:55 jlgijsbers Exp $ | 1 # $Id: client.py,v 1.143 2003-10-24 09:32:19 jlgijsbers Exp $ |
| 2 | 2 |
| 3 __doc__ = """ | 3 __doc__ = """ |
| 4 WWW request handler (also used in the stand-alone server). | 4 WWW request handler (also used in the stand-alone server). |
| 5 """ | 5 """ |
| 6 | 6 |
| 968 # right permission. | 968 # right permission. |
| 969 if props.has_key('roles') and not has('Web Roles', self.userid, | 969 if props.has_key('roles') and not has('Web Roles', self.userid, |
| 970 'user'): | 970 'user'): |
| 971 return 0 | 971 return 0 |
| 972 # if the item being edited is the current user, we're ok | 972 # if the item being edited is the current user, we're ok |
| 973 if self.nodeid == self.userid: | 973 if (self.nodeid == self.userid |
| 974 and self.db.user.get(self.nodeid, 'username') != 'anonymous'): | |
| 974 return 1 | 975 return 1 |
| 975 if self.db.security.hasPermission('Edit', self.userid, self.classname): | 976 if self.db.security.hasPermission('Edit', self.userid, self.classname): |
| 976 return 1 | 977 return 1 |
| 977 return 0 | 978 return 0 |
| 978 | 979 |