From a16430ac35b8e486f81d9cd13465ff6f7ed27be5 Mon Sep 17 00:00:00 2001 From: richard Date: Mon, 12 Apr 2004 06:55:41 +0000 Subject: [PATCH] better check for anonymous viewing of user items (sf bug 933510) git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/trunk@2277 57a73879-2fb5-44c3-a270-3262357dd7e2 --- CHANGES.txt | 1 + TODO.txt | 3 +++ roundup/cgi/templating.py | 7 ++++--- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index de61234..bd4542b 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -27,6 +27,7 @@ Fixed: - grouping (and sorting) by multilink in RDBMS backends (sf bug 655702) - roundup scripts may now be asked for their version (sf rfe 798657) - sqlite backend had stopped using the global lock +- better check for anonymous viewing of user items (sf bug 933510) 2004-03-27 0.7.0b2 diff --git a/TODO.txt b/TODO.txt index b2f8f02..29af698 100644 --- a/TODO.txt +++ b/TODO.txt @@ -1,5 +1,8 @@ This file contains items that need doing before the next release: +. make Intervals store timestamps, not strings + + Optionally: - have rdbms backends look up the journal for actor if it's not set - migrate to numeric ID values (fixes bug 817217) diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py index 324e75f..bf3d901 100644 --- a/roundup/cgi/templating.py +++ b/roundup/cgi/templating.py @@ -945,9 +945,10 @@ class HTMLUserPermission: if getattr(self, '_nodeid', None) == userid and not is_anonymous: return 1 - # may anonymous users register? - if (is_anonymous and s.hasPermission('Web Registration', userid, - self._classname)): + # may anonymous users register? (so, they need to be anonymous, + # need the Web Rego permission, and not trying to view an item) + rego = s.hasPermission('Web Registration', userid, self._classname) + if is_anonymous and rego and getattr(self, '_nodeid', None) is None: return 1 # nope, no access here -- 2.30.2