Mercurial > p > roundup > code
diff roundup/cgi/templating.py @ 1858:fc524c1caeb0 maint-0.6
Anonymous user can no longer edit or view itself.
This fixes a security bug [SF#828901].
| author | Johannes Gijsbers <jlgijsbers@users.sourceforge.net> |
|---|---|
| date | Fri, 24 Oct 2003 09:32:19 +0000 |
| parents | ae5ed85b111a |
| children | eb7aa7546e13 |
line wrap: on
line diff
--- a/roundup/cgi/templating.py Fri Oct 17 01:53:15 2003 +0000 +++ b/roundup/cgi/templating.py Fri Oct 24 09:32:19 2003 +0000 @@ -807,14 +807,16 @@ Also check whether this is the current user's info. ''' return self._db.security.hasPermission('Edit', self._client.userid, - self._classname) or self._nodeid == self._client.userid + self._classname) or (self._nodeid == self._client.userid and + self._db.user.get(self._client.userid, 'username') != 'anonymous') def is_view_ok(self): ''' Is the user allowed to View the current class? Also check whether this is the current user's info. ''' return self._db.security.hasPermission('Edit', self._client.userid, - self._classname) or self._nodeid == self._client.userid + self._classname) or (self._nodeid == self._client.userid and + self._db.user.get(self._client.userid, 'username') != 'anonymous') class HTMLProperty: ''' String, Number, Date, Interval HTMLProperty