Mercurial > p > roundup > code

diff roundup/cgi/templating.py @ 1857:dc6f2155e5b4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Anonymous user can no longer edit or view itself. This fixes a security bug [SF#828901].
author Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
date Fri, 24 Oct 2003 09:32:19 +0000
parents 389c4d44c73c
children f5c804379c85
line wrap: on
line diff
--- a/roundup/cgi/templating.py	Wed Oct 22 16:47:55 2003 +0000
+++ b/roundup/cgi/templating.py	Fri Oct 24 09:32:19 2003 +0000
@@ -807,14 +807,16 @@
             Also check whether this is the current user's info.
         '''
         return self._db.security.hasPermission('Edit', self._client.userid,
-            self._classname) or self._nodeid == self._client.userid
+            self._classname) or (self._nodeid == self._client.userid and
+            self._db.user.get(self._client.userid, 'username') != 'anonymous')
 
     def is_view_ok(self):
         ''' Is the user allowed to View the current class?
             Also check whether this is the current user's info.
         '''
         return self._db.security.hasPermission('Edit', self._client.userid,
-            self._classname) or self._nodeid == self._client.userid
+            self._classname) or (self._nodeid == self._client.userid and
+            self._db.user.get(self._client.userid, 'username') != 'anonymous')
 
 class HTMLProperty:
     ''' String, Number, Date, Interval HTMLProperty
Roundup Issue Tracker: http://roundup-tracker.org/