[tokkee]

tokkee.org

Code

projects / roundup.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix security hole allowing user permission escalation (thanks Ralf Schlatterbeck)
[roundup.git] / share / roundup / templates / minimal / schema.py
diff --git a/share/roundup/templates/minimal/schema.py b/share/roundup/templates/minimal/schema.py
index 3333e55ca4aa7ba3e0fe4e2851a695102f982f4d..603eaae69847e38271f50b325708465466ce915f 100644 (file)
--- a/share/roundup/templates/minimal/schema.py
+++ b/share/roundup/templates/minimal/schema.py
@@ -41,6 +41,7 @@ p = db.security.addPermission(name='View', klass='user', check=own_record,
     description="User is allowed to view their own user details")
 db.security.addPermissionToRole('User', p)
 p = db.security.addPermission(name='Edit', klass='user', check=own_record,
+    properties=('username', 'password', 'address', 'alternate_addresses'),
     description="User is allowed to edit their own user details")
 db.security.addPermissionToRole('User', p)
 
Roundup Issue Tracker (SVN clone)