Issue 1907211
Created on 2008-03-04 18:36 by mephinet, last changed 2008-03-07 01:11 by richard.
|
| msg2537 |
Author: [hidden] (mephinet) |
Date: 2008-03-04 18:36 |
|
Property permissions are not checked at all by the current implementation of the xmlrpc server.
This enables users to edit/view properties they are not allowed to according to security settings.
The following exported methods are affected: `list`, `display`, and `set`.
The attached patch fixes these methods by passing the properties that are set/viewed to `security.hasPermission`.
I was unable to come up with a unittest for this because the xmlrpc testcase uses on test/db_test_base, which simply copies the classic template - and its schema doesn't have any property-specific permissions that could be used for that.
The attached patch also fixes the bugs that I've reported but that haven't beed addressed so far:
[ 1893931 ] xmlrpc: commit & close database
[ 1893839 ] test_xmlrpc: use all available backends
Please review and merge.
|
| msg2538 |
Author: [hidden] (richard) |
Date: 2008-03-07 01:11 |
|
Thanks, applied. I've also exercised the check-function permission based on user editing.
|
|
| Date |
User |
Action |
Args |
| 2008-03-04 18:36:59 | mephinet | create | |
|