Mercurial > p > roundup > code
diff share/roundup/templates/classic/schema.py @ 4308:b30bdfae4461
Fix security hole allowing user permission escalation
(thanks Ralf Schlatterbeck)
also update docs and prepare for a release
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Sun, 20 Dec 2009 23:24:21 +0000 |
| parents | 42331c201b02 |
| children | 261c9f913ff7 |
line wrap: on
line diff
--- a/share/roundup/templates/classic/schema.py Fri Dec 18 11:00:34 2009 +0000 +++ b/share/roundup/templates/classic/schema.py Sun Dec 20 23:24:21 2009 +0000 @@ -112,6 +112,8 @@ description="User is allowed to view their own user details") db.security.addPermissionToRole('User', p) p = db.security.addPermission(name='Edit', klass='user', check=own_record, + properties=('username', 'password', 'address', 'realname', 'phone', + 'organisation', 'alternate_addresses', 'queries', 'timezone'), description="User is allowed to edit their own user details") db.security.addPermissionToRole('User', p)