Mercurial > p > roundup > code

--- a/CHANGES.txt	Sat Sep 23 21:29:22 2017 -0400
+++ b/CHANGES.txt	Sat Sep 23 22:00:22 2017 -0400
@@ -457,6 +457,9 @@
 - CSRF protection broke the retire function for query edit. Fix
   javascript and make sure csrf tokens are provided in the right
   places. (John Rouillard)
+- query.item.html was missing checks to verify that a query should
+  be visible to the user. This is fixed and users can only view
+  queries that they own or that are not private. (John Rouillard)

 2016-01-11: 1.5.1
--- a/doc/upgrading.txt	Sat Sep 23 21:29:22 2017 -0400
+++ b/doc/upgrading.txt	Sat Sep 23 22:00:22 2017 -0400
@@ -518,6 +518,19 @@
 "Queries others created" section of the query edit page
 (``http..../query?@template=edit``).

+Fix security issues in query.item.html template
+-----------------------------------------------
+The default query.item.html template allows anybody to view all
+queries.
+
+This has been updated in the classic, devel and responsive templates
+to only allow people to view queries they creates or queries that are
+publicly viewable.
+
+If you haven't modified you query.item.html template, simply copy the
+query.item.html template from one of the above default templates to
+your tracker's html directory.
+
 Enhancement to check command for Permissions
 --------------------------------------------
--- a/share/roundup/templates/classic/html/query.item.html	Sat Sep 23 21:29:22 2017 -0400
+++ b/share/roundup/templates/classic/html/query.item.html	Sat Sep 23 22:00:22 2017 -0400
@@ -1,3 +1,15 @@
 <!-- query.item -->
-<span tal:replace="structure context/renderQueryForm" />
-
+<span tal:condition="context/is_view_ok" tal:replace="structure
+      context/renderQueryForm" />
+<tal:block tal:condition="not:context/is_view_ok">
+  <tal:block metal:use-macro="templates/page/macros/icing">
+    <title metal:fill-slot="head_title">You can not view query</title>
+    <tal:block metal:fill-slot="body_title">
+      You can not view query.
+    </tal:block>
+    <td class="content" metal:fill-slot="content">
+      You are not allowed to view <span tal:content="context/_classname"/>
+      with id <span tal:content="context/id"/>
+    </td>
+  </tal:block>
+</tal:block>
--- a/share/roundup/templates/devel/html/query.item.html	Sat Sep 23 21:29:22 2017 -0400
+++ b/share/roundup/templates/devel/html/query.item.html	Sat Sep 23 22:00:22 2017 -0400
@@ -1,3 +1,15 @@
 <!-- query.item -->
-<span tal:replace="structure context/renderQueryForm" />
-
+<span tal:condition="context/is_view_ok" tal:replace="structure
+      context/renderQueryForm" />
+<tal:block tal:condition="not:context/is_view_ok">
+  <tal:block metal:use-macro="templates/page/macros/icing">
+    <title metal:fill-slot="head_title">You can not view query</title>
+    <tal:block metal:fill-slot="body_title">
+      You can not view query.
+    </tal:block>
+    <td class="content" metal:fill-slot="content">
+      You are not allowed to view <span tal:content="context/_classname"/>
+      with id <span tal:content="context/id"/>
+    </td>
+  </tal:block>
+</tal:block>
--- a/share/roundup/templates/responsive/html/query.item.html	Sat Sep 23 21:29:22 2017 -0400
+++ b/share/roundup/templates/responsive/html/query.item.html	Sat Sep 23 22:00:22 2017 -0400
@@ -1,3 +1,15 @@
 <!-- query.item -->
-<span tal:replace="structure context/renderQueryForm" />
-
+<span tal:condition="context/is_view_ok" tal:replace="structure
+      context/renderQueryForm" />
+<tal:block tal:condition="not:context/is_view_ok">
+  <tal:block metal:use-macro="templates/page/macros/icing">
+    <title metal:fill-slot="head_title">You can not view query</title>
+    <tal:block metal:fill-slot="body_title">
+      You can not view query.
+    </tal:block>
+    <td class="content" metal:fill-slot="content">
+      You are not allowed to view <span tal:content="context/_classname"/>
+      with id <span tal:content="context/id"/>
+    </td>
+  </tal:block>
+</tal:block>