Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 2870:795cdba40c05

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
enforce View Permission when serving file content [SF#1050470]
author Richard Jones <richard@users.sourceforge.net>
date Fri, 05 Nov 2004 04:55:52 +0000
parents 930e780c751f
children 0998d1b48182
line wrap: on
line diff
--- a/roundup/cgi/client.py	Fri Nov 05 04:42:45 2004 +0000
+++ b/roundup/cgi/client.py	Fri Nov 05 04:55:52 2004 +0000
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.195 2004-11-03 09:49:14 a1s Exp $
+# $Id: client.py,v 1.196 2004-11-05 04:55:52 richard Exp $
 
 """WWW request handler (also used in the stand-alone server).
 """
@@ -531,6 +531,12 @@
         if not props.has_key('content'):
             raise NotFound, designator
 
+        # make sure we have permission
+        if not self.db.security.hasPermission('View', self.userid,
+                classname, 'content', nodeid):
+            raise Unauthorised, self._("You are not allowed to view "
+                "this file.")
+
         mime_type = klass.get(nodeid, 'type')
         content = klass.get(nodeid, 'content')
         lmt = klass.get(nodeid, 'activity').timestamp()
Roundup Issue Tracker: http://roundup-tracker.org/