Mercurial > p > roundup > code
diff roundup/roundupdb.py @ 4289:7275e3dec0e0
Fix security-problem: If user hasn't permission on a message...
...(notably files and content properties) and is on the nosy list, the
content was sent via email. We now check that user has permission on
the message content and files properties. Also add a regression test
for this.
| author | Ralf Schlatterbeck <schlatterbeck@users.sourceforge.net> |
|---|---|
| date | Mon, 30 Nov 2009 14:45:44 +0000 |
| parents | 7baf1925c4c1 |
| children | 236939e4137b |
line wrap: on
line diff
--- a/roundup/roundupdb.py Sat Nov 28 22:44:02 2009 +0000 +++ b/roundup/roundupdb.py Mon Nov 30 14:45:44 2009 +0000 @@ -227,18 +227,29 @@ seen_message[recipient] = 1 def add_recipient(userid, to): - # make sure they have an address + """ make sure they have an address """ address = self.db.user.get(userid, 'address') if address: to.append(address) recipients.append(userid) def good_recipient(userid): - # Make sure we don't send mail to either the anonymous - # user or a user who has already seen the message. + """ Make sure we don't send mail to either the anonymous + user or a user who has already seen the message. + Also check permissions on the message if not a system + message: A user must have view permisson on content and + files to be on the receiver list. We do *not* check the + author etc. for now. + """ + allowed = True + if msgid: + for prop in 'content', 'files': + if prop in self.db.msg.properties: + allowed = allowed and self.db.security.hasPermission( + 'View', userid, 'msg', prop, msgid) return (userid and (self.db.user.get(userid, 'username') != 'anonymous') and - not seen_message.has_key(userid)) + allowed and not seen_message.has_key(userid)) # possibly send the message to the author, as long as they aren't # anonymous