Mercurial > p > roundup > code
changeset 2207:a993c3dcac9b
better check for anonymous viewing of user items [SF#933510]
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Mon, 12 Apr 2004 06:55:41 +0000 |
| parents | 8822a99f7650 |
| children | 0b76c4961802 |
| files | CHANGES.txt TODO.txt roundup/cgi/templating.py |
| diffstat | 3 files changed, 8 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Sat Apr 10 22:13:47 2004 +0000 +++ b/CHANGES.txt Mon Apr 12 06:55:41 2004 +0000 @@ -27,6 +27,7 @@ - grouping (and sorting) by multilink in RDBMS backends (sf bug 655702) - roundup scripts may now be asked for their version (sf rfe 798657) - sqlite backend had stopped using the global lock +- better check for anonymous viewing of user items (sf bug 933510) 2004-03-27 0.7.0b2
--- a/TODO.txt Sat Apr 10 22:13:47 2004 +0000 +++ b/TODO.txt Mon Apr 12 06:55:41 2004 +0000 @@ -1,5 +1,8 @@ This file contains items that need doing before the next release: +. make Intervals store timestamps, not strings + + Optionally: - have rdbms backends look up the journal for actor if it's not set - migrate to numeric ID values (fixes bug 817217)
--- a/roundup/cgi/templating.py Sat Apr 10 22:13:47 2004 +0000 +++ b/roundup/cgi/templating.py Mon Apr 12 06:55:41 2004 +0000 @@ -945,9 +945,10 @@ if getattr(self, '_nodeid', None) == userid and not is_anonymous: return 1 - # may anonymous users register? - if (is_anonymous and s.hasPermission('Web Registration', userid, - self._classname)): + # may anonymous users register? (so, they need to be anonymous, + # need the Web Rego permission, and not trying to view an item) + rego = s.hasPermission('Web Registration', userid, self._classname) + if is_anonymous and rego and getattr(self, '_nodeid', None) is None: return 1 # nope, no access here