Mercurial > p > roundup > code
view website/issues/html/file.item.html @ 4902:a403c29ffaf9
Security fix default user permissions
Default user permissions should not include all user attributes. We now
limit this to the username, realname and some further attributes
depending on the schema. Note that we no longer include the email
addresses, depending on your installation you may want to further
restrict this or add some attributes like ``address`` and
``alternate_addresses``.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 04 Jul 2014 15:32:28 +0200 |
| parents | c2d0d3e9099d |
| children | f63a2b15e628 |
line wrap: on
line source
<tal:block metal:use-macro="templates/page/macros/icing"> <title metal:fill-slot="head_title" i18n:translate="">File display - <span i18n:name="tracker" tal:replace="config/TRACKER_NAME" /></title> <span metal:fill-slot="body_title" tal:omit-tag="python:1" i18n:translate="">File display</span> <td class="content" metal:fill-slot="content"> <p tal:condition="python:not (context.is_view_ok() or request.user.hasRole('Anonymous'))" i18n:translate=""> You are not allowed to view this page.</p> <p tal:condition="python:not context.is_view_ok() and request.user.hasRole('Anonymous')" i18n:translate=""> Please login with your username and password.</p> <form method="POST" onSubmit="return submit_once()" enctype="multipart/form-data" tal:condition="context/is_view_ok" tal:attributes="action context/designator"> <table class="form"> <tr> <th i18n:translate="">Name</th> <td tal:content="structure context/name/field"></td> </tr> <tr> <th i18n:translate="">Description</th> <td tal:content="structure context/description/field"></td> </tr> <tr> <th i18n:translate="">Content Type</th> <td tal:content="structure context/type/field"/> <td style="border: none" tal:condition="python: context.is_edit_ok()">Please note that for security reasons, it's not permitted to set content type to <i>text/html</i>.</td> </tr> <tr tal:condition="python:context.is_edit_ok()"> <td> <input type="hidden" name="@template" value="item"> <input type="hidden" name="@required" value="name,type"> <input type="hidden" name="@multilink" tal:condition="python:request.form.has_key('@multilink')" tal:attributes="value request/form/@multilink/value"> </td> <td tal:content="structure context/submit">submit button here</td> </tr> </table> </form> <!--<p tal:condition="python:utils.sb_is_spam(context)" class="error-message"> File has been classified as spam.</p>--> <a tal:condition="python:context.id and context.content.is_view_ok()" tal:attributes="href string:file${context/id}/${context/name}" i18n:translate="">download</a> <!--<p tal:condition="python:context.id and not context.content.is_view_ok()"> Files classified as spam are not available for download by unathorized users. If you think the file has been misclassified, please login and click on the button for reclassification. </p>--> <!-- <form method="POST" onSubmit="return submit_once()" enctype="multipart/form-data" tal:attributes="action context/designator" tal:condition="python:request.user.hasPermission('SB: May Classify')"> <input type="hidden" name="@action" value="spambayes_classify"> <input type="submit" name="trainspam" value="Mark as SPAM" i18n:attributes="value"> <input type="submit" name="trainham" value="Mark as HAM (not SPAM)" i18n:attributes="value"> </form>--> <tal:block tal:condition="context/id" tal:replace="structure context/history" /> </td> </tal:block>