Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 1858:fc524c1caeb0 maint-0.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Anonymous user can no longer edit or view itself. This fixes a security bug [SF#828901].
author Johannes Gijsbers <jlgijsbers@users.sourceforge.net>
date Fri, 24 Oct 2003 09:32:19 +0000
parents d81d215167fd
children f29a7edc31da
line wrap: on
line diff
--- a/roundup/cgi/client.py	Fri Oct 17 01:53:15 2003 +0000
+++ b/roundup/cgi/client.py	Fri Oct 24 09:32:19 2003 +0000
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.130.2.2 2003-08-28 04:53:04 richard Exp $
+# $Id: client.py,v 1.130.2.3 2003-10-24 09:31:13 jlgijsbers Exp $
 
 __doc__ = """
 WWW request handler (also used in the stand-alone server).
@@ -1031,7 +1031,8 @@
                     'user'):
                 return 0
             # if the item being edited is the current user, we're ok
-            if self.nodeid == self.userid:
+            if (self.nodeid == self.userid
+                and self.db.user.get(self.nodeid, 'username') != 'anonymous'):
                 return 1
         if self.db.security.hasPermission('Edit', self.userid, self.classname):
             return 1
Roundup Issue Tracker: http://roundup-tracker.org/