From: richard Date: Mon, 12 Apr 2004 06:55:41 +0000 (+0000) Subject: better check for anonymous viewing of user items (sf bug 933510) X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=a16430ac35b8e486f81d9cd13465ff6f7ed27be5;p=roundup.git better check for anonymous viewing of user items (sf bug 933510) git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/trunk@2277 57a73879-2fb5-44c3-a270-3262357dd7e2 --- diff --git a/CHANGES.txt b/CHANGES.txt index de61234..bd4542b 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -27,6 +27,7 @@ Fixed: - grouping (and sorting) by multilink in RDBMS backends (sf bug 655702) - roundup scripts may now be asked for their version (sf rfe 798657) - sqlite backend had stopped using the global lock +- better check for anonymous viewing of user items (sf bug 933510) 2004-03-27 0.7.0b2 diff --git a/TODO.txt b/TODO.txt index b2f8f02..29af698 100644 --- a/TODO.txt +++ b/TODO.txt @@ -1,5 +1,8 @@ This file contains items that need doing before the next release: +. make Intervals store timestamps, not strings + + Optionally: - have rdbms backends look up the journal for actor if it's not set - migrate to numeric ID values (fixes bug 817217) diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py index 324e75f..bf3d901 100644 --- a/roundup/cgi/templating.py +++ b/roundup/cgi/templating.py @@ -945,9 +945,10 @@ class HTMLUserPermission: if getattr(self, '_nodeid', None) == userid and not is_anonymous: return 1 - # may anonymous users register? - if (is_anonymous and s.hasPermission('Web Registration', userid, - self._classname)): + # may anonymous users register? (so, they need to be anonymous, + # need the Web Rego permission, and not trying to view an item) + rego = s.hasPermission('Web Registration', userid, self._classname) + if is_anonymous and rego and getattr(self, '_nodeid', None) is None: return 1 # nope, no access here