Mercurial > p > roundup > code
changeset 1857:dc6f2155e5b4
Anonymous user can no longer edit or view itself.
This fixes a security bug [SF#828901].
| author | Johannes Gijsbers <jlgijsbers@users.sourceforge.net> |
|---|---|
| date | Fri, 24 Oct 2003 09:32:19 +0000 |
| parents | 7c84534aec13 |
| children | 492a962b6d6f |
| files | roundup/cgi/client.py roundup/cgi/templating.py |
| diffstat | 2 files changed, 7 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/roundup/cgi/client.py Wed Oct 22 16:47:55 2003 +0000 +++ b/roundup/cgi/client.py Fri Oct 24 09:32:19 2003 +0000 @@ -1,4 +1,4 @@ -# $Id: client.py,v 1.142 2003-10-22 16:47:55 jlgijsbers Exp $ +# $Id: client.py,v 1.143 2003-10-24 09:32:19 jlgijsbers Exp $ __doc__ = """ WWW request handler (also used in the stand-alone server). @@ -970,7 +970,8 @@ 'user'): return 0 # if the item being edited is the current user, we're ok - if self.nodeid == self.userid: + if (self.nodeid == self.userid + and self.db.user.get(self.nodeid, 'username') != 'anonymous'): return 1 if self.db.security.hasPermission('Edit', self.userid, self.classname): return 1
--- a/roundup/cgi/templating.py Wed Oct 22 16:47:55 2003 +0000 +++ b/roundup/cgi/templating.py Fri Oct 24 09:32:19 2003 +0000 @@ -807,14 +807,16 @@ Also check whether this is the current user's info. ''' return self._db.security.hasPermission('Edit', self._client.userid, - self._classname) or self._nodeid == self._client.userid + self._classname) or (self._nodeid == self._client.userid and + self._db.user.get(self._client.userid, 'username') != 'anonymous') def is_view_ok(self): ''' Is the user allowed to View the current class? Also check whether this is the current user's info. ''' return self._db.security.hasPermission('Edit', self._client.userid, - self._classname) or self._nodeid == self._client.userid + self._classname) or (self._nodeid == self._client.userid and + self._db.user.get(self._client.userid, 'username') != 'anonymous') class HTMLProperty: ''' String, Number, Date, Interval HTMLProperty