Mercurial > p > roundup > code
diff CHANGES.txt @ 5257:928512faf565
- issue2550864: Potential information leakage via journal/history
Original code didn't fully implement the security checks.
Users with only Edit access on a property were not able to view the
journal entry for the property. This patch fixes that.
Also had additional info leakage: the target object of a link or
multilink must be viewable or editable in order for the journal entry
to be shown. Otherwise the existance of the target is exposed via the
journal while it is blocked from searches, direct access etc.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 27 Aug 2017 00:19:48 -0400 |
| parents | c193f1c33bd4 |
| children | 1bd252244501 |
line wrap: on
line diff
--- a/CHANGES.txt Sat Aug 26 20:48:57 2017 -0400 +++ b/CHANGES.txt Sun Aug 27 00:19:48 2017 -0400 @@ -203,10 +203,10 @@ config.ini with new options and help text. (John Rouillard) - issue2550864: Potential information leakage via journal/history Hyperdb history function now only returns properties that the user - has View permissions on. Can be overridden by setting a parameter - when calling the method. Also restructured code that implemented - issue1714899 moving it from the templating class to the hyperdb. - (John Rouillard) + can View or Edit and links to objects the user can see. Can be + overridden by setting a parameter when calling the method. + Also restructured code that implemented issue1714899 moving it + from the templating class to the hyperdb. (John Rouillard) - Improves diagnostics for mail processing: When using logging level = DEBUG, bounces and bounce problems are logged. (Bernhard Reiter)