Skip to content
This repository has been archived by the owner on Jun 23, 2021. It is now read-only.

Commit

Permalink
Fix permission checks.
Browse files Browse the repository at this point in the history
  • Loading branch information
@brianmay
brianmay committed Apr 23, 2011
1 parent 395a1bb commit 9bb8eb2
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 11 deletions.
3 changes: 2 additions & 1 deletion debian/changelog
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,14 @@
spud (0.8-1) unstable; urgency=low

* Fix permission checks. Security issue, anybody could edit photos.
* Fix broken XHTML.
* Make timezones more flexible. Can specify UTC+nn or UTC-nn for imports.
* Improve photo editor, have links to most popular items.
* Fix problems with add person and set person logic.
* Limit width of photo summary in css.
* Optimize how search string is generated.

-- Brian May <bam@debian.org> Fri, 22 Apr 2011 18:22:48 +1000
-- Brian May <bam@debian.org> Sat, 23 Apr 2011 19:10:24 +1000

spud (0.7-1) lucid; urgency=low

Expand Down
24 changes: 14 additions & 10 deletions spud/webs.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -221,50 +221,50 @@ def permission_denied_response(self, request, breadcrumbs, error_list):
def check_list_perms(self, request, breadcrumbs):
error_list = []
if not self.has_list_perms(request.user):
error_list.append("You cannot list %s objects"%(selfs.verbose_name))
error_list.append("You cannot list %s objects"%(self.verbose_name))

if len(error_list) > 0:
return permission_denied_response(request, breadcrumbs, error_list)
return self.permission_denied_response(request, breadcrumbs, error_list)
else:
return None

def check_view_perms(self, request, breadcrumbs):
error_list = []
if not self.has_view_perms(request.user):
error_list.append("You cannot view a %s object"%(selfs.verbose_name))
error_list.append("You cannot view a %s object"%(self.verbose_name))

if len(error_list) > 0:
return permission_denied_response(request, breadcrumbs, error_list)
return self.permission_denied_response(request, breadcrumbs, error_list)
else:
return None

def check_add_perms(self, request, breadcrumbs):
error_list = []
if not self.has_add_perms(request.user):
error_list.append("You cannot add a %s object"%(selfs.verbose_name))
error_list.append("You cannot add a %s object"%(self.verbose_name))

if len(error_list) > 0:
return permission_denied_response(request, breadcrumbs, error_list)
return self.permission_denied_response(request, breadcrumbs, error_list)
else:
return None

def check_edit_perms(self, request, breadcrumbs):
error_list = []
if not self.has_edit_perms(request.user):
error_list.append("You cannot edit a %s object"%(selfs.verbose_name))
error_list.append("You cannot edit a %s object"%(self.verbose_name))

if len(error_list) > 0:
return permission_denied_response(request, breadcrumbs, error_list)
return self.permission_denied_response(request, breadcrumbs, error_list)
else:
return None

def check_delete_perms(self, request, breadcrumbs):
error_list = []
if not self.has_delete_perms(request.user):
error_list.append("You cannot delete a %s object"%(selfs.verbose_name))
error_list.append("You cannot delete a %s object"%(self.verbose_name))

if len(error_list) > 0:
return permission_denied_response(request, breadcrumbs, error_list)
return self.permission_denied_response(request, breadcrumbs, error_list)
else:
return None

Expand Down Expand Up @@ -495,6 +495,10 @@ def object_photo_detail(self, request, instance, number, photo_list, size):
def object_photo_edit(self, request, instance, number, photo_list, size):
self.assert_instance_type(instance)
breadcrumbs = self.get_view_breadcrumbs(instance)
error = self.check_edit_perms(request, breadcrumbs)
if error is not None:
return error

paginator = Paginator(photo_list, 1)

template='spud/photo_edit.html'
Expand Down

0 comments on commit 9bb8eb2

Please sign in to comment.