Mercurial > p > roundup > code
diff share/roundup/templates/jinja2/schema.py @ 4902:a403c29ffaf9
Security fix default user permissions
Default user permissions should not include all user attributes. We now
limit this to the username, realname and some further attributes
depending on the schema. Note that we no longer include the email
addresses, depending on your installation you may want to further
restrict this or add some attributes like ``address`` and
``alternate_addresses``.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 04 Jul 2014 15:32:28 +0200 |
| parents | a8c95abaf3fb |
| children | cf112b90fa8d |
line wrap: on
line diff
--- a/share/roundup/templates/jinja2/schema.py Wed Jun 25 13:19:42 2014 +1000 +++ b/share/roundup/templates/jinja2/schema.py Fri Jul 04 15:32:28 2014 +0200 @@ -101,7 +101,10 @@ # May users view other user information? Comment these lines out # if you don't want them to -db.security.addPermissionToRole('User', 'View', 'user') +p = db.security.addPermission(name='View', klass='user', + properties=('id', 'organisation', 'phone', 'realname', 'timezone', + 'username')) +db.security.addPermissionToRole('User', p) # Users should be able to edit their own details -- this permission is # limited to only the situation where the Viewed or Edited item is their own.