Mercurial > p > roundup > code
changeset 2871:1629b3e303d2 maint-0.7
merge(ish) from HEAD
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Fri, 05 Nov 2004 04:57:50 +0000 |
| parents | 80a9419bd5c7 |
| children | 49d1fd44881a |
| files | CHANGES.txt roundup/cgi/client.py |
| diffstat | 2 files changed, 7 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Fri Nov 05 04:41:19 2004 +0000 +++ b/CHANGES.txt Fri Nov 05 04:57:50 2004 +0000 @@ -10,6 +10,7 @@ - s/Modifed/Modified (thanks donfu) - applied patch fixing some form handling issues in ZRoundup (thanks Chris Withers) +- enforce View Permission when serving file content (sf bug 1050470) 2004-10-15 0.7.8
--- a/roundup/cgi/client.py Fri Nov 05 04:41:19 2004 +0000 +++ b/roundup/cgi/client.py Fri Nov 05 04:57:50 2004 +0000 @@ -1,4 +1,4 @@ -# $Id: client.py,v 1.176.2.6 2004-10-26 07:59:28 richard Exp $ +# $Id: client.py,v 1.176.2.7 2004-11-05 04:57:50 richard Exp $ """WWW request handler (also used in the stand-alone server). """ @@ -445,6 +445,11 @@ if not props.has_key('content'): raise NotFound, designator + # make sure we have permission + if not self.db.security.hasPermission('View', self.userid, classname): + raise Unauthorised, self._("You are not allowed to view " + "this file.") + mime_type = klass.get(nodeid, 'type') content = klass.get(nodeid, 'content') lmt = klass.get(nodeid, 'activity').timestamp()