From 0d3871e13faa4933a395b0ddeb5cbe8c6a47d52b Mon Sep 17 00:00:00 2001 From: richard Date: Fri, 29 Jan 2010 05:03:48 +0000 Subject: [PATCH] Fix "Web Access" permission check to allow serving of static files to Anonymous again git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4430 57a73879-2fb5-44c3-a270-3262357dd7e2 --- CHANGES.txt | 4 ++++ roundup/cgi/client.py | 20 +++++++++++++++++--- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index f0ec02a..1296bde 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -15,6 +15,10 @@ Fixes: intevation for funding the fix. - Fix documentation on user required to run the tests, fixes issue2550618, thanks to Chris aka 'radioking' +- Add simple doc about translating customised tracker content +- Add "flup" setup documentation, thanks Christian Glass +- Fix "Web Access" permission check to allow serving of static files to + Anonymous again 2009-12-21 1.4.11 (r4413) diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py index b760e0c..30c2820 100644 --- a/roundup/cgi/client.py +++ b/roundup/cgi/client.py @@ -380,6 +380,7 @@ class Client: self.determine_language() # Open the database as the correct user. self.determine_user() + self.check_web_access() # Call the appropriate XML-RPC method. handler = xmlrpc.RoundupDispatcher(self.db, @@ -437,6 +438,11 @@ class Client: # figure out the context and desired content template self.determine_context() + # if we've made it this far the context is to a bit of + # Roundup's real web interface (not a file being served up) + # so do the Anonymous Web Acess check now + self.check_web_access() + # possibly handle a form submit action (may change self.classname # and self.template, and may also append error/ok_messages) html = self.handle_action() @@ -711,15 +717,21 @@ class Client: # make sure the anonymous user is valid if we're using it if user == 'anonymous': self.make_user_anonymous() - if not self.db.security.hasPermission('Web Access', self.userid): - raise Unauthorised, self._("Anonymous users are not " - "allowed to use the web interface") else: self.user = user # reopen the database as the correct user self.opendb(self.user) + def check_web_access(self): + """Check that the Anonymous user is actually allowed to use the web + interface and short-circuit all further processing if they're not. + """ + if self.user == 'anonymous': + if not self.db.security.hasPermission('Web Access', self.userid): + raise Unauthorised, self._("Anonymous users are not " + "allowed to use the web interface") + def opendb(self, username): """Open the database and set the current user. @@ -865,6 +877,8 @@ class Client: # The classname was not valid. raise NotFound, str(designator) + # perform the Anonymous user access check + self.check_web_access() # make sure we have the appropriate properties props = klass.getprops() -- 2.30.2