Mercurial > p > roundup > code
view website/issues/initial_data.py @ 5257:928512faf565
- issue2550864: Potential information leakage via journal/history
Original code didn't fully implement the security checks.
Users with only Edit access on a property were not able to view the
journal entry for the property. This patch fixes that.
Also had additional info leakage: the target object of a link or
multilink must be viewable or editable in order for the journal entry
to be shown. Otherwise the existance of the target is exposed via the
journal while it is blocked from searches, direct access etc.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 27 Aug 2017 00:19:48 -0400 |
| parents | c2d0d3e9099d |
| children |
line wrap: on
line source
from roundup.password import Password # # TRACKER INITIAL PRIORITY AND STATUS VALUES # issue_type = db.getclass('issue_type') issue_type.create(name='crash', order='1') issue_type.create(name='compile error', order='2') issue_type.create(name='resource usage', order='3') issue_type.create(name='security', order='4') issue_type.create(name='behavior', order='5') issue_type.create(name='rfe', order='6') component = db.getclass('component') #component.create(name="any", order="1") #component.create(name="3rd party modifications", order="2") #component.create(name="command-line interface", order="3") #component.create(name="database", order="4") #component.create(name="documentation", order="5") #component.create(name="installation", order="6") #component.create(name="mail interface", order="7") #component.create(name="web interface", order="8") version = db.getclass('version') version.create(name='devel', order='1') version.create(name='1.0', order='2') version.create(name='1.1', order='3') version.create(name='1.2', order='4') version.create(name='1.3', order='5') version.create(name='1.4', order='6') severity = db.getclass('severity') severity.create(name='critical', order='1') severity.create(name='urgent', order='2') severity.create(name='major', order='3') severity.create(name='normal', order='4') severity.create(name='minor', order='5') priority = db.getclass('priority') priority.create(name='immediate', order='1') priority.create(name='urgent', order='2') priority.create(name='high', order='3') priority.create(name='normal', order='4') priority.create(name='low', order='5') status = db.getclass('status') status.create(name = "new", order = "1") status.create(name='open', order='2') status.create(name='closed', order='3') status.create(name='pending', description='user feedback required', order='4') resolution = db.getclass('resolution') resolution.create(name='accepted', order='1') resolution.create(name='duplicate', order='2') resolution.create(name='fixed', order='3') resolution.create(name='invalid', order='4') resolution.create(name='later', order='5') resolution.create(name='out of date', order='6') resolution.create(name='postponed', order='7') resolution.create(name='rejected', order='8') resolution.create(name='remind', order='9') resolution.create(name='wont fix', order='10') resolution.create(name='works for me', order='11') keyword = db.getclass("keyword") keyword.create(name="patch", description="Contains patch") # # create the two default users user = db.getclass('user') user.create(username="admin", password=adminpw, address=admin_email, roles='Admin') user.create(username="anonymous", roles='Anonymous')