Mercurial > p > roundup > code

view website/issues/html/query.item.html @ 6375:c4371ec7d1c0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Call verifyPassword even if user does not exist. Address timing attack caused by not doing the password check if the user doesn't exist. Can expose valid usernames. Really only useful for a tracker that doesn't allow anonymous access to issues. Issues usually show usernames as part of the message display.
author John Rouillard <rouilj@ieee.org>
date Tue, 06 Apr 2021 22:51:55 -0400
parents 578b5294e888
children
line wrap: on
line source

<!-- query.item -->
<span tal:condition="context/is_view_ok" tal:replace="structure
      context/renderQueryForm" />
<tal:block tal:condition="not:context/is_view_ok">
  <tal:block metal:use-macro="templates/page/macros/icing">
    <title metal:fill-slot="head_title">You can not view query</title>
    <tal:block metal:fill-slot="body_title">
      You can not view query.
    </tal:block>
    <td class="content" metal:fill-slot="content">
      You are not allowed to view <span tal:content="context/_classname"/>
      with id <span tal:content="context/id"/>
    </td>
  </tal:block>
</tal:block>
Roundup Issue Tracker: http://roundup-tracker.org/