Issue 2550553
Created on 2009-06-08 17:17 by cmeerw, last changed 2009-06-30 01:41 by stefan.
File name |
Uploaded |
Description |
Edit |
Remove |
2550553.diff
|
cmeerw,
2009-06-12 21:38
|
patch to create separate "Register" permission |
|
|
msg3718 |
Author: [hidden] (cmeerw) |
Date: 2009-06-08 17:17 |
|
Trying to use the classic template on a fresh 1.4.8 install, logging in
as "admin" user and select Administration-"Add User" from the menu.
After filling in all required fields and pressing "Submit new entry",
nothing happens.
Looking at the source-code in cgi/actions.py NewItemAction.handle
appears to specifically block user creation:
# guard against new user creation that would bypass security
checks
for key in props:
if 'user' in key:
return
I think this is a breakage from 1.4.6.
|
msg3719 |
Author: [hidden] (kai) |
Date: 2009-06-12 15:29 |
|
Richard changed this in revision 4180, and correctly. If you remove the check you mentioned,
you will reopen the security hole again.
Perhaps these lines need an additional check to see if the current user is logged in as a user
that has the right, instead of this simple check.
|
msg3720 |
Author: [hidden] (cmeerw) |
Date: 2009-06-12 20:56 |
|
I guess the main problem is that the "Create" permission for a user is
used for "Add User" and "Register". So maybe the solution should be to
separate these permissions and create a new "Register" permission.
|
msg3721 |
Author: [hidden] (cmeerw) |
Date: 2009-06-12 21:38 |
|
Added a patch to create a separate "Register" permission for users.
|
msg3742 |
Author: [hidden] (stefan) |
Date: 2009-06-30 01:41 |
|
Fixed as per rev:4239
|
|
Date |
User |
Action |
Args |
2009-06-30 01:41:45 | stefan | set | status: new -> closed assignee: stefan resolution: fixed messages:
+ msg3742 nosy:
+ stefan |
2009-06-12 21:38:44 | cmeerw | set | files:
+ 2550553.diff keywords:
+ patch messages:
+ msg3721 |
2009-06-12 20:56:58 | cmeerw | set | messages:
+ msg3720 |
2009-06-12 15:29:57 | kai | set | nosy:
+ kai messages:
+ msg3719 |
2009-06-08 17:17:03 | cmeerw | create | |
|