Mercurial > p > roundup > code

view website/issues/html/user.index.html @ 8062:28aa76443f58

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix(security): fix CVE-2024-39124, CVE-2024-39124, and CVE-2024-39125 Directions for fixing: * `CVE-2024-39124`_ - :ref:`classhelpers (_generic.help.html) are vulnerable to an XSS attack. <CVE-2024-39124>` Requires fixing tracker homes. * `CVE-2024-39125`_ - :ref:`if Referer header is set to a script tag, it will be executed. <CVE-2024-39125>` Fixed in release 2.4.0, directions available for fixing in prior versions. * `CVE-2024-39126`_ - :ref:`PDF, XML and SVG files downloaded from an issue can contain embedded JavaScript which is executed. <CVE-2024-39126>` Fixed in release 2.4.0, directions available for fixing in prior versions. prior to 2.4.0 release this weekend that fixes the last two CVE's.
author John Rouillard <rouilj@ieee.org>
date Tue, 09 Jul 2024 09:07:09 -0400
parents 370cc9052239
children
line wrap: on
line source

<tal:block metal:use-macro="templates/page/macros/icing">
<title metal:fill-slot="head_title" i18n:translate="">User listing - <span
 i18n:name="tracker" tal:replace="config/TRACKER_NAME" /></title>
<span metal:fill-slot="body_title" tal:omit-tag="python:1"
 i18n:translate="">User listing</span>
<td class="content" metal:fill-slot="content">

<span tal:condition="python:not (context.is_view_ok()
 or request.user.hasRole('Anonymous'))"
 i18n:translate="">You are not allowed to view this page.</span>

<span tal:condition="python:not context.is_view_ok()
 and request.user.hasRole('Anonymous')"
 i18n:translate="">Please login with your username and password.</span>

<form tal:condition="context/is_view_ok" method="get" name="itemSynopsis"
      tal:attributes="action request/classname">

<table class="form" tal:define="
       search_input templates/page/macros/search_input;">

   <tr><th class="header" colspan="5">Search for users</th></tr>
   <tr>
       <th class="header">Username</th>
       <td tal:define="name string:username">
           <input tal:attributes="value python:request.form.getvalue(name) or nothing;
                         name name;
                         id name"/>
       </td>
       <th class="header">Realname</th>
       <td tal:define="name string:realname">
           <input tal:attributes="value python:request.form.getvalue(name) or nothing;
                         name name;
                         id name"/>
       </td>

       <td><input class="form-small" type="submit" value="Search" i18n:attributes="value"/></td>
   </tr>

</table>
   <input type="hidden" name="@action" value="search"/>
</form>


<table width="100%" tal:condition="context/is_view_ok" class="list"
       tal:define="batch request/batch">
<tr>
 <th i18n:translate="">Username</th>
 <th i18n:translate="">Real name</th>
 <th i18n:translate="">Organisation</th>
 <th i18n:translate="">Email address</th>
 <th tal:condition="context/is_edit_ok" i18n:translate="">Retire</th>
</tr>
<tal:block repeat="user batch">
<tr tal:attributes="class python:['normal', 'alt'][repeat['user'].index%6//3]">
 <td>
  <a tal:attributes="href string:user${user/id}"
     tal:content="user/username">username</a>
 </td>
 <td tal:content="python:user.realname.plain() or default">&nbsp;</td>
 <td tal:content="python:user.organisation.plain() or default">&nbsp;</td>
 <td tal:content="python:user.address.email() or default">&nbsp;</td>
 <td tal:condition="context/is_edit_ok">
     <form style="padding:0" method="POST"
           tal:attributes="action string:user${user/id}">
      <input type="hidden" name="@template" value="index">
      <input type="hidden" name="@action" value="retire">
      <input type="submit" value="retire" i18n:attributes="value">
      <input name="@csrf" type="hidden"
	     tal:attributes="value python:utils.anti_csrf_nonce()">
     </form>
 </td>
</tr>
</tal:block>
 <tr tal:condition="batch">
  <th tal:attributes="colspan python:len(request.columns)">
   <table width="100%">
    <tr class="navigation">
     <th>
      <a tal:define="prev batch/previous" tal:condition="prev"
         tal:attributes="href python:request.indexargs_url(request.classname,
         {'@startwith':prev.first, '@pagesize':prev.size})"
         i18n:translate="">&lt;&lt; previous</a>
      &nbsp;
     </th>
     <th i18n:translate=""><span tal:replace="batch/start" i18n:name="start"
     />..<span tal:replace="python: batch.start + batch.length -1" i18n:name="end"
     /> out of <span tal:replace="batch/sequence_length" i18n:name="total"
     /></th>
     <th>
      <a tal:define="next batch/next" tal:condition="next"
         tal:attributes="href python:request.indexargs_url(request.classname,
         {'@startwith':next.first, '@pagesize':next.size})"
         i18n:translate="">next &gt;&gt;</a>
      &nbsp;
     </th>
    </tr>
   </table>
  </th>
 </tr>

</table>
</td>



</tal:block>
Roundup Issue Tracker: http://roundup-tracker.org/