Mercurial > p > roundup > code
diff share/roundup/templates/classic/schema.py @ 4088:34434785f308
Plug a number of security holes:
- EditCSV and ExportCSV altered to include permission checks
- HTTP POST required on actions which alter data
- HTML file uploads served as application/octet-stream
- New item action reject creation of new users
- Item retirement was not being controlled
Additionally include documentation of the changes and modify affected tests.
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Thu, 12 Mar 2009 02:25:03 +0000 |
| parents | a6fdaaa3a8bd |
| children | 42331c201b02 |
line wrap: on
line diff
--- a/share/roundup/templates/classic/schema.py Tue Mar 10 21:01:20 2009 +0000 +++ b/share/roundup/templates/classic/schema.py Thu Mar 12 02:25:03 2009 +0000 @@ -128,6 +128,9 @@ p = db.security.addPermission(name='Edit', klass='query', check=edit_query, description="User is allowed to edit their queries") db.security.addPermissionToRole('User', p) +p = db.security.addPermission(name='Retire', klass='query', check=edit_query, + description="User is allowed to retire their queries") +db.security.addPermissionToRole('User', p) p = db.security.addPermission(name='Create', klass='query', description="User is allowed to create queries") db.security.addPermissionToRole('User', p)