From 0d3871e13faa4933a395b0ddeb5cbe8c6a47d52b Mon Sep 17 00:00:00 2001
From: richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>
Date: Fri, 29 Jan 2010 05:03:48 +0000
Subject: [PATCH] Fix "Web Access" permission check to allow serving of static
 files to Anonymous again

git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4430 57a73879-2fb5-44c3-a270-3262357dd7e2
---
 CHANGES.txt           |  4 ++++
 roundup/cgi/client.py | 20 +++++++++++++++++---
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/CHANGES.txt b/CHANGES.txt
index f0ec02a..1296bde 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -15,6 +15,10 @@ Fixes:
   intevation for funding the fix.
 - Fix documentation on user required to run the tests, fixes 
   issue2550618, thanks to Chris aka 'radioking'
+- Add simple doc about translating customised tracker content
+- Add "flup" setup documentation, thanks Christian Glass
+- Fix "Web Access" permission check to allow serving of static files to
+  Anonymous again
 
 
 2009-12-21 1.4.11 (r4413)
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
index b760e0c..30c2820 100644
--- a/roundup/cgi/client.py
+++ b/roundup/cgi/client.py
@@ -380,6 +380,7 @@ class Client:
         self.determine_language()
         # Open the database as the correct user.
         self.determine_user()
+        self.check_web_access()
 
         # Call the appropriate XML-RPC method.
         handler = xmlrpc.RoundupDispatcher(self.db,
@@ -437,6 +438,11 @@ class Client:
                 # figure out the context and desired content template
                 self.determine_context()
 
+                # if we've made it this far the context is to a bit of
+                # Roundup's real web interface (not a file being served up)
+                # so do the Anonymous Web Acess check now
+                self.check_web_access()
+
                 # possibly handle a form submit action (may change self.classname
                 # and self.template, and may also append error/ok_messages)
                 html = self.handle_action()
@@ -711,15 +717,21 @@ class Client:
         # make sure the anonymous user is valid if we're using it
         if user == 'anonymous':
             self.make_user_anonymous()
-            if not self.db.security.hasPermission('Web Access', self.userid):
-                raise Unauthorised, self._("Anonymous users are not "
-                    "allowed to use the web interface")
         else:
             self.user = user
 
         # reopen the database as the correct user
         self.opendb(self.user)
 
+    def check_web_access(self):
+        """Check that the Anonymous user is actually allowed to use the web
+        interface and short-circuit all further processing if they're not.
+        """
+        if self.user == 'anonymous':
+            if not self.db.security.hasPermission('Web Access', self.userid):
+                raise Unauthorised, self._("Anonymous users are not "
+                    "allowed to use the web interface")
+
     def opendb(self, username):
         """Open the database and set the current user.
 
@@ -865,6 +877,8 @@ class Client:
             # The classname was not valid.
             raise NotFound, str(designator)
             
+        # perform the Anonymous user access check
+        self.check_web_access()
 
         # make sure we have the appropriate properties
         props = klass.getprops()
-- 
2.30.2