Issue 1442145: some special security settings don't work with mailgw

classification

Title:	some special security settings don't work with mailgw
Type:		Severity:	normal
Components:	Mail interface	Versions:

process

Status:	closed	Resolution:	fixed
Dependencies		Superseder:
Assigned To:	richard	Nosy List:	richard
Priority:	normal	Keywords:

Created on 2006-03-02 23:46 by anonymous, last changed 2006-03-02 23:46 by anonymous.

Messages
msg2207	Author: [hidden] (anonymous)	Date: 2006-03-02 23:46
I want that users can only issues they have created. So, in schema.py, I have those settings : def own_issue(db, userid, nodeid): return userid == db.issue.get(nodeid, 'creator') p = db.security.addPermission(name='Edit', klass='issue', check=own_issue, description="User is allowed to edit an issue if it is the creator") db.security.addPermissionToRole('User', p) It works well with web interface, but with mailgw, it doesn't work : user can edit any issue they want. in MailGW.handlemessage in mailgw.py line 853-854, there is : if nodeid: if not self.db.security.hasPermission('Edit', author, classname): so it calls Security.hasPermission in security.py, and on line 182 : if perm.test(self.db, permission, classname, property, userid, itemid): it calls Permission.test, and on line 49 : # check code if itemid is not None and self.check is not None: if not self.check(db, userid, itemid): return 0 # we have a winner return 1 as itemid is None, it will return 1, and user will be able to edit issue. If in MailGW.handlemessage, you pass nodeid as argument if nodeid: if not self.db.security.hasPermission('Edit', author, classname, itemid=nodeid): Permission.test returns 0, and user cannot edit issue anymore.

msg2207

Author: [hidden] (anonymous)

Date: 2006-03-02 23:46

I want that users can only issues they have created.
So, in schema.py, I have those settings :

def own_issue(db, userid, nodeid):
    return userid == db.issue.get(nodeid, 'creator')
p = db.security.addPermission(name='Edit',
klass='issue', check=own_issue,
    description="User is allowed to edit an issue if it
is the creator")
db.security.addPermissionToRole('User', p) 

It works well with web interface, but with mailgw, it
doesn't work : user can edit any issue they want.

in MailGW.handlemessage in mailgw.py line 853-854,
there is :

if nodeid:
            if not
self.db.security.hasPermission('Edit', author, classname):

so it calls Security.hasPermission in security.py, and
on line 182 :

if perm.test(self.db, permission, classname, property,
                        userid, itemid):

it calls Permission.test, and on line 49 :
# check code
if itemid is not None and self.check is not None:
   if not self.check(db, userid, itemid):
          return 0

# we have a winner
return 1

as itemid is None, it will return 1, and user will be
able to edit issue.

If in MailGW.handlemessage, you pass nodeid as argument 

if nodeid:
            if not
self.db.security.hasPermission('Edit', author,
classname, itemid=nodeid):

Permission.test returns 0, and user cannot edit issue
anymore.

History
Date	User	Action	Args
2006-03-02 23:46:45	anonymous	create

Roundup Tracker - Issues

Issue 1442145