Mercurial > p > roundup > code

diff roundup/cgi/templating.py @ 4088:34434785f308

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Plug a number of security holes: - EditCSV and ExportCSV altered to include permission checks - HTTP POST required on actions which alter data - HTML file uploads served as application/octet-stream - New item action reject creation of new users - Item retirement was not being controlled Additionally include documentation of the changes and modify affected tests.
author Richard Jones <richard@users.sourceforge.net>
date Thu, 12 Mar 2009 02:25:03 +0000
parents 3057092623e1
children 6f698aef2ad4
line wrap: on
line diff
--- a/roundup/cgi/templating.py	Tue Mar 10 21:01:20 2009 +0000
+++ b/roundup/cgi/templating.py	Thu Mar 12 02:25:03 2009 +0000
@@ -473,6 +473,14 @@
             raise Unauthorised("edit", self._classname,
                 translator=self._client.translator)
 
+    def retire_check(self):
+        """ Raise the Unauthorised exception if the user's not permitted to
+            retire items of this class.
+        """
+        if not self.is_retire_ok():
+            raise Unauthorised("retire", self._classname,
+                translator=self._client.translator)
+
 
 class HTMLClass(HTMLInputMixin, HTMLPermissions):
     """ Accesses through a class (either through *class* or *db.<classname>*)
@@ -497,6 +505,12 @@
         return self._db.security.hasPermission('Create', self._client.userid,
             self._classname)
 
+    def is_retire_ok(self):
+        """ Is the user allowed to retire items of the current class?
+        """
+        return self._db.security.hasPermission('Retire', self._client.userid,
+            self._classname)
+
     def is_view_ok(self):
         """ Is the user allowed to View the current class?
         """
@@ -761,13 +775,19 @@
         HTMLInputMixin.__init__(self)
 
     def is_edit_ok(self):
-        """ Is the user allowed to Edit the current class?
+        """ Is the user allowed to Edit this item?
         """
         return self._db.security.hasPermission('Edit', self._client.userid,
             self._classname, itemid=self._nodeid)
 
+    def is_retire_ok(self):
+        """ Is the user allowed to Reture this item?
+        """
+        return self._db.security.hasPermission('Retire', self._client.userid,
+            self._classname, itemid=self._nodeid)
+
     def is_view_ok(self):
-        """ Is the user allowed to View the current class?
+        """ Is the user allowed to View this item?
         """
         if self._db.security.hasPermission('View', self._client.userid,
                 self._classname, itemid=self._nodeid):
@@ -775,7 +795,7 @@
         return self.is_edit_ok()
 
     def is_only_view_ok(self):
-        """ Is the user only allowed to View (ie. not Edit) the current class?
+        """ Is the user only allowed to View (ie. not Edit) this item?
         """
         return self.is_view_ok() and not self.is_edit_ok()
Roundup Issue Tracker: http://roundup-tracker.org/