From: Johannes G. <jlg...@us...> - 2003-10-25 03:58:24
|
Update of /cvsroot/roundup/roundup/roundup/cgi In directory sc8-pr-cvs1:/tmp/cvs-serv1124 Modified Files: client.py templating.py Log Message: Anonymous user can no longer edit or view itself. This fixes a security bug (bug #828901). Index: client.py =================================================================== RCS file: /cvsroot/roundup/roundup/roundup/cgi/client.py,v retrieving revision 1.142 retrieving revision 1.143 diff -C2 -r1.142 -r1.143 *** client.py 22 Oct 2003 16:47:55 -0000 1.142 --- client.py 24 Oct 2003 09:32:19 -0000 1.143 *************** *** 971,975 **** return 0 # if the item being edited is the current user, we're ok ! if self.nodeid == self.userid: return 1 if self.db.security.hasPermission('Edit', self.userid, self.classname): --- 971,976 ---- return 0 # if the item being edited is the current user, we're ok ! if (self.nodeid == self.userid ! and self.db.user.get(self.nodeid, 'username') != 'anonymous'): return 1 if self.db.security.hasPermission('Edit', self.userid, self.classname): Index: templating.py =================================================================== RCS file: /cvsroot/roundup/roundup/roundup/cgi/templating.py,v retrieving revision 1.111 retrieving revision 1.112 diff -C2 -r1.111 -r1.112 *** templating.py 20 Oct 2003 20:31:40 -0000 1.111 --- templating.py 24 Oct 2003 09:32:19 -0000 1.112 *************** *** 808,812 **** ''' return self._db.security.hasPermission('Edit', self._client.userid, ! self._classname) or self._nodeid == self._client.userid def is_view_ok(self): --- 808,813 ---- ''' return self._db.security.hasPermission('Edit', self._client.userid, ! self._classname) or (self._nodeid == self._client.userid and ! self._db.user.get(self._client.userid, 'username') != 'anonymous') def is_view_ok(self): *************** *** 815,819 **** ''' return self._db.security.hasPermission('Edit', self._client.userid, ! self._classname) or self._nodeid == self._client.userid class HTMLProperty: --- 816,821 ---- ''' return self._db.security.hasPermission('Edit', self._client.userid, ! self._classname) or (self._nodeid == self._client.userid and ! self._db.user.get(self._client.userid, 'username') != 'anonymous') class HTMLProperty: |