Mercurial > p > roundup > code

diff share/roundup/templates/devel/schema.py @ 4437:261c9f913ff7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
- Add explicit "Search" permissions, see Security Fix below. - Security Fix: Add a check for search-permissions: now we allow searching for properties only if the property is readable without a check method or if an explicit search permission (see above unter "Features) is given for the property. This fixes cases where a user doesn't have access to a property but can deduce the content by crafting a clever search, group or sort query. see doc/upgrading.txt for how to fix your trackers!
author Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net>
date Tue, 19 Oct 2010 15:29:05 +0000
parents b419f29b1e2f
children cc402f5ad93e
line wrap: on
line diff
--- a/share/roundup/templates/devel/schema.py	Tue Oct 19 00:41:29 2010 +0000
+++ b/share/roundup/templates/devel/schema.py	Tue Oct 19 15:29:05 2010 +0000
@@ -327,6 +327,8 @@
     return userid == db.query.get(itemid, 'creator')
 p = db.security.addPermission(name='View', klass='query', check=view_query,
     description="User is allowed to view their own and public queries")
+p = db.security.addPermission(name='Search', klass='query')
+db.security.addPermissionToRole('User', p)
 for r in 'User', 'Developer', 'Coordinator':
     db.security.addPermissionToRole(r, p)
 p = db.security.addPermission(name='Edit', klass='query', check=edit_query,
Roundup Issue Tracker: http://roundup-tracker.org/