From: jlgijsbers <jlgijsbers@57a73879-2fb5-44c3-a270-3262357dd7e2>
Date: Fri, 24 Oct 2003 09:32:19 +0000 (+0000)
Subject: Anonymous user can no longer edit or view itself. This fixes a
X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=03a73d63e183563afe922d5210a9a2709ae46d74;p=roundup.git

Anonymous user can no longer edit or view itself. This fixes a
security bug (bug #828901).


git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/trunk@1927 57a73879-2fb5-44c3-a270-3262357dd7e2
---

diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
index 0192693..72edc6f 100644
--- a/roundup/cgi/client.py
+++ b/roundup/cgi/client.py
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.142 2003-10-22 16:47:55 jlgijsbers Exp $
+# $Id: client.py,v 1.143 2003-10-24 09:32:19 jlgijsbers Exp $
 
 __doc__ = """
 WWW request handler (also used in the stand-alone server).
@@ -970,7 +970,8 @@ You should then receive another email with the new password.
                     'user'):
                 return 0
             # if the item being edited is the current user, we're ok
-            if self.nodeid == self.userid:
+            if (self.nodeid == self.userid
+                and self.db.user.get(self.nodeid, 'username') != 'anonymous'):
                 return 1
         if self.db.security.hasPermission('Edit', self.userid, self.classname):
             return 1
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
index 9e0f2d2..9600f15 100644
--- a/roundup/cgi/templating.py
+++ b/roundup/cgi/templating.py
@@ -807,14 +807,16 @@ class HTMLUser(HTMLItem):
             Also check whether this is the current user's info.
         '''
         return self._db.security.hasPermission('Edit', self._client.userid,
-            self._classname) or self._nodeid == self._client.userid
+            self._classname) or (self._nodeid == self._client.userid and
+            self._db.user.get(self._client.userid, 'username') != 'anonymous')
 
     def is_view_ok(self):
         ''' Is the user allowed to View the current class?
             Also check whether this is the current user's info.
         '''
         return self._db.security.hasPermission('Edit', self._client.userid,
-            self._classname) or self._nodeid == self._client.userid
+            self._classname) or (self._nodeid == self._client.userid and
+            self._db.user.get(self._client.userid, 'username') != 'anonymous')
 
 class HTMLProperty:
     ''' String, Number, Date, Interval HTMLProperty