Mercurial > p > roundup > code

diff share/roundup/templates/classic/schema.py @ 4437:261c9f913ff7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
- Add explicit "Search" permissions, see Security Fix below. - Security Fix: Add a check for search-permissions: now we allow searching for properties only if the property is readable without a check method or if an explicit search permission (see above unter "Features) is given for the property. This fixes cases where a user doesn't have access to a property but can deduce the content by crafting a clever search, group or sort query. see doc/upgrading.txt for how to fix your trackers!
author Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
date Tue, 19 Oct 2010 15:29:05 +0000
parents b30bdfae4461
children a403c29ffaf9
line wrap: on
line diff
--- a/share/roundup/templates/classic/schema.py	Tue Oct 19 00:41:29 2010 +0000
+++ b/share/roundup/templates/classic/schema.py	Tue Oct 19 15:29:05 2010 +0000
@@ -129,6 +129,8 @@
 p = db.security.addPermission(name='View', klass='query', check=view_query,
     description="User is allowed to view their own and public queries")
 db.security.addPermissionToRole('User', p)
+p = db.security.addPermission(name='Search', klass='query')
+db.security.addPermissionToRole('User', p)
 p = db.security.addPermission(name='Edit', klass='query', check=edit_query,
     description="User is allowed to edit their queries")
 db.security.addPermissionToRole('User', p)
Roundup Issue Tracker: http://roundup-tracker.org/