[Roundup-checkins] CVS: roundup/roundup/cgi client.py,1.142,1.143 templating.py,1.111,1.112

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Update of /cvsroot/roundup/roundup/roundup/cgi
In directory sc8-pr-cvs1:/tmp/cvs-serv1124

Modified Files:
	client.py templating.py 
Log Message:
Anonymous user can no longer edit or view itself. This fixes a
security bug (bug #828901).


Index: client.py
===================================================================
RCS file: /cvsroot/roundup/roundup/roundup/cgi/client.py,v
retrieving revision 1.142
retrieving revision 1.143
diff -C2 -r1.142 -r1.143
*** client.py	22 Oct 2003 16:47:55 -0000	1.142
--- client.py	24 Oct 2003 09:32:19 -0000	1.143
***************
*** 971,975 ****
                  return 0
              # if the item being edited is the current user, we're ok
!             if self.nodeid == self.userid:
                  return 1
          if self.db.security.hasPermission('Edit', self.userid, self.classname):
--- 971,976 ----
                  return 0
              # if the item being edited is the current user, we're ok
!             if (self.nodeid == self.userid
!                 and self.db.user.get(self.nodeid, 'username') != 'anonymous'):
                  return 1
          if self.db.security.hasPermission('Edit', self.userid, self.classname):

Index: templating.py
===================================================================
RCS file: /cvsroot/roundup/roundup/roundup/cgi/templating.py,v
retrieving revision 1.111
retrieving revision 1.112
diff -C2 -r1.111 -r1.112
*** templating.py	20 Oct 2003 20:31:40 -0000	1.111
--- templating.py	24 Oct 2003 09:32:19 -0000	1.112
***************
*** 808,812 ****
          '''
          return self._db.security.hasPermission('Edit', self._client.userid,
!             self._classname) or self._nodeid == self._client.userid
  
      def is_view_ok(self):
--- 808,813 ----
          '''
          return self._db.security.hasPermission('Edit', self._client.userid,
!             self._classname) or (self._nodeid == self._client.userid and
!             self._db.user.get(self._client.userid, 'username') != 'anonymous')
  
      def is_view_ok(self):
***************
*** 815,819 ****
          '''
          return self._db.security.hasPermission('Edit', self._client.userid,
!             self._classname) or self._nodeid == self._client.userid
  
  class HTMLProperty:
--- 816,821 ----
          '''
          return self._db.security.hasPermission('Edit', self._client.userid,
!             self._classname) or (self._nodeid == self._client.userid and
!             self._db.user.get(self._client.userid, 'username') != 'anonymous')
  
  class HTMLProperty:

[Roundup-checkins] CVS: roundup/roundup/cgi client.py,1.142,1.143 templating.py,1.111,1.112

Simple-to-use/-install issue-tracking system: web, REST, email, CLI

[Roundup-checkins] CVS: roundup/roundup/cgi client.py,1.142,1.143 templating.py,1.111,1.112