better check for anonymous viewing of user items (sf bug 933510)

git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/trunk@2277 57a73879-2fb5-44c3-a270-3262357dd7e2

diff --git a/CHANGES.txt b/CHANGES.txt
index de61234ad31d532830612a896273690f834810c1..bd4542bc2511bab06c0887efaf847911f310f654 100644 (file)
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -27,6 +27,7 @@ Fixed:
 - grouping (and sorting) by multilink in RDBMS backends (sf bug 655702)
 - roundup scripts may now be asked for their version (sf rfe 798657)
 - sqlite backend had stopped using the global lock
+- better check for anonymous viewing of user items (sf bug 933510)
 
 
 2004-03-27 0.7.0b2

diff --git a/TODO.txt b/TODO.txt
index b2f8f02ffd29efa0a4837f97c91a039edf0ad5fa..29af698d14d38acac2b751bddf60b3d5a32479cc 100644 (file)
--- a/TODO.txt
+++ b/TODO.txt
@@ -1,5 +1,8 @@
 This file contains items that need doing before the next release:
 
+. make Intervals store timestamps, not strings
+
+
 Optionally:
 - have rdbms backends look up the journal for actor if it's not set
 - migrate to numeric ID values (fixes bug 817217)

diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
index 324e75f47ac5114833fbdeeb51b05fb6139f2706..bf3d901414977c5d0ca01cc0f228f16d90df1d7a 100644 (file)
--- a/roundup/cgi/templating.py
+++ b/roundup/cgi/templating.py
@@ -945,9 +945,10 @@ class HTMLUserPermission:
         if getattr(self, '_nodeid', None) == userid and not is_anonymous:
             return 1
 
-        # may anonymous users register?
-        if (is_anonymous and s.hasPermission('Web Registration', userid,
-                self._classname)):
+        # may anonymous users register? (so, they need to be anonymous,
+        # need the Web Rego permission, and not trying to view an item)
+        rego = s.hasPermission('Web Registration', userid, self._classname)
+        if is_anonymous and rego and getattr(self, '_nodeid', None) is None:
             return 1
 
         # nope, no access here