1. anatoly techtonik
  2. bugs.python.org


bitdancer  committed c394e31

Fix security bug: Users were able to see hashed passwords of other users.

  • Participants
  • Parent commits 6d5ba69
  • Branches default

Comments (0)

Files changed (2)

File .hgignore

View file

File schema.py

View file
 db.security.addPermissionToRole('Coordinator', 'SB: May Classify')
 db.security.addPermissionToRole('Developer', 'SB: May Classify')
-# May users view other user information? Comment these lines out
-# if you don't want them to
-db.security.addPermissionToRole('User', 'View', 'user')
-db.security.addPermissionToRole('Developer', 'View', 'user')
+# Allow Users and Developers to view most user properties.
+p =  db.security.addPermission(name='View', klass='user',
+   properties=('username', 'address', 'realname', 'phone',
+         'organisation', 'alternate_addresses', 'timezone'))
+db.security.addPermissionToRole('User', p)
+db.security.addPermissionToRole('Developer', p)
+# Coordinator may view all user properties.
 db.security.addPermissionToRole('Coordinator', 'View', 'user')
 # Allow Coordinator to edit any user, including their roles.