Mercurial > p > roundup > code
changeset 3012:6dbe3798a4c4
fix some security assertions [SF#1085481]
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Wed, 15 Dec 2004 00:00:52 +0000 |
| parents | 3a23308a8f57 |
| children | 224c7c0b9708 |
| files | CHANGES.txt roundup/cgi/actions.py templates/classic/html/issue.search.html templates/classic/html/page.html |
| diffstat | 4 files changed, 22 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Tue Dec 14 23:27:44 2004 +0000 +++ b/CHANGES.txt Wed Dec 15 00:00:52 2004 +0000 @@ -7,6 +7,7 @@ - fix API for templating utils extensions - remove "utils" arg (sf bug 1081981) - back_sqlite.py is missing "import time" (sf bug 1081959) - fix (list) popup (sf bug 1083570) +- fix some security assertions (sf bug 1085481) 2004-12-08 0.8.0b1
--- a/roundup/cgi/actions.py Tue Dec 14 23:27:44 2004 +0000 +++ b/roundup/cgi/actions.py Wed Dec 15 00:00:52 2004 +0000 @@ -1,4 +1,4 @@ -#$Id: actions.py,v 1.40 2004-11-23 22:45:13 richard Exp $ +#$Id: actions.py,v 1.41 2004-12-15 00:00:52 richard Exp $ import re, cgi, StringIO, urllib, Cookie, time, random @@ -59,12 +59,12 @@ '%(action)s the %(classname)s class.')%info _marker = [] - def hasPermission(self, permission, classname=_marker): + def hasPermission(self, permission, classname=_marker, itemid=None): """Check whether the user has 'permission' on the current class.""" if classname is self._marker: classname = self.client.classname return self.db.security.hasPermission(permission, self.client.userid, - classname) + classname=classname, itemid=itemid) def gettext(self, msgid): """Return the localized translation of msgid""" @@ -158,9 +158,16 @@ # edit the old way, only one query per name try: qid = self.db.query.lookup(queryname) + if not self.hasPermission('Edit', self.classname, + itemid=qid): + raise exceptions.Unauthorised, self._( + "You do not have permission to edit queries") self.db.query.set(qid, klass=self.classname, url=url) except KeyError: # create a query + if not self.hasPermission('Create', self.classname): + raise exceptions.Unauthorised, self._( + "You do not have permission to store queries") qid = self.db.query.create(name=queryname, klass=self.classname, url=url) else: @@ -180,9 +187,16 @@ for qid in qids: if queryname != self.db.query.get(qid, 'name'): continue + if not self.hasPermission('Edit', self.classname, + itemid=qid): + raise exceptions.Unauthorised, self._( + "You do not have permission to edit queries") self.db.query.set(qid, klass=self.classname, url=url) else: # create a query + if not self.hasPermission('Create', self.classname): + raise exceptions.Unauthorised, self._( + "You do not have permission to store queries") qid = self.db.query.create(name=queryname, klass=self.classname, url=url, private_for=uid) @@ -468,7 +482,7 @@ "You do not have permission to edit user roles") if self.isEditingSelf(): return 1 - if self.hasPermission('Edit'): + if self.hasPermission('Edit', itemid=self.nodeid): return 1 return 0
--- a/templates/classic/html/issue.search.html Tue Dec 14 23:27:44 2004 +0000 +++ b/templates/classic/html/issue.search.html Wed Dec 15 00:00:52 2004 +0000 @@ -180,7 +180,7 @@ </td> </tr> -<tr> +<tr tal:condition="python:request.user.hasPermission('Edit', 'query')"> <th i18n:translate="">Query name**:</th> <td><input name="@queryname" tal:attributes="value request/form/@queryname/value | default"></td>
--- a/templates/classic/html/page.html Tue Dec 14 23:27:44 2004 +0000 +++ b/templates/classic/html/page.html Wed Dec 15 00:00:52 2004 +0000 @@ -24,7 +24,8 @@ <tr> <td rowspan="2" valign="top" class="sidebar"> - <p class="classblock"> + <p class="classblock" + tal:condition="python:request.user.hasPermission('View', 'query')"> <span i18n:translate="" ><b>Your Queries</b> (<a href="query?@template=edit">edit</a>)</span><br> <tal:block tal:repeat="qs request/user/queries">