Anonymous user can no longer edit or view itself. This fixes a

author jlgijsbers <jlgijsbers@57a73879-2fb5-44c3-a270-3262357dd7e2>

Fri, 24 Oct 2003 09:32:19 +0000 (09:32 +0000)

committer jlgijsbers <jlgijsbers@57a73879-2fb5-44c3-a270-3262357dd7e2>

Fri, 24 Oct 2003 09:32:19 +0000 (09:32 +0000)
author jlgijsbers <jlgijsbers@57a73879-2fb5-44c3-a270-3262357dd7e2>
Fri, 24 Oct 2003 09:32:19 +0000 (09:32 +0000)
committer jlgijsbers <jlgijsbers@57a73879-2fb5-44c3-a270-3262357dd7e2>
Fri, 24 Oct 2003 09:32:19 +0000 (09:32 +0000)
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py

index 0192693b87aee67de663e5f0e89bf64427ebafef..72edc6fa02c092c2d04e218b4cf1a3be2c3ac714 100644 (file)
--- a/roundup/cgi/client.py
+++ b/roundup/cgi/client.py
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.142 2003-10-22 16:47:55 jlgijsbers Exp $
+# $Id: client.py,v 1.143 2003-10-24 09:32:19 jlgijsbers Exp $
  
  __doc__ = """
  WWW request handler (also used in the stand-alone server).
@@ -970,7 +970,8 @@ You should then receive another email with the new password.
                      'user'):
                  return 0
              # if the item being edited is the current user, we're ok
-            if self.nodeid == self.userid:
+            if (self.nodeid == self.userid
+                and self.db.user.get(self.nodeid, 'username') != 'anonymous'):
                  return 1
          if self.db.security.hasPermission('Edit', self.userid, self.classname):
              return 1
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py

index 9e0f2d2b66e136c9f0d7ca501401698db8233bef..9600f15c1c3fb6918cdc72048acd6bafdf24f38c 100644 (file)
--- a/roundup/cgi/templating.py
+++ b/roundup/cgi/templating.py
@@ -807,14 +807,16 @@ class HTMLUser(HTMLItem):
              Also check whether this is the current user's info.
          '''
          return self._db.security.hasPermission('Edit', self._client.userid,
-            self._classname) or self._nodeid == self._client.userid
+            self._classname) or (self._nodeid == self._client.userid and
+            self._db.user.get(self._client.userid, 'username') != 'anonymous')
  
      def is_view_ok(self):
          ''' Is the user allowed to View the current class?
              Also check whether this is the current user's info.
          '''
          return self._db.security.hasPermission('Edit', self._client.userid,
-            self._classname) or self._nodeid == self._client.userid
+            self._classname) or (self._nodeid == self._client.userid and
+            self._db.user.get(self._client.userid, 'username') != 'anonymous')
  
  class HTMLProperty:
      ''' String, Number, Date, Interval HTMLProperty
author	jlgijsbers <jlgijsbers@57a73879-2fb5-44c3-a270-3262357dd7e2>
	Fri, 24 Oct 2003 09:32:19 +0000 (09:32 +0000)
committer	jlgijsbers <jlgijsbers@57a73879-2fb5-44c3-a270-3262357dd7e2>
	Fri, 24 Oct 2003 09:32:19 +0000 (09:32 +0000)
roundup/cgi/client.py		patch \| blob \| history
roundup/cgi/templating.py		patch \| blob \| history