Issue 2550864
Created on 2015-01-14 04:13 by jerrykan, last changed 2017-04-15 03:36 by rouilj.
msg5184 |
Author: [hidden] (jerrykan) |
Date: 2015-01-14 04:12 |
|
Roundup provides the ability to manage access to each of a classes
properties (ie. View, Edit, etc.). For properties that users do not have
View permissions for the current value of a property will be displayed
as '[hidden]' in the node journal/history. The problem is that
older/previous values for the same property are not sanitised at all, so
users can view information that they probably should not be able to.
example:
Date User Action Args
2015-01-12 02:27:11 user1 set secure_prop: Old Value2 -> [hidden]
2015-01-12 02:26:48 user1 set secure_prop: Old Value -> Old Value2
2015-01-12 02:26:43 user1 set secure_prop: Old Value
Ideally the properties that users do not have View access to should
probably not appear in the journal/history at all.
|
msg5955 |
Author: [hidden] (rouilj) |
Date: 2017-04-15 03:36 |
|
Jerry, I just checked in [462b0f76fce8] to the repo. It should fix
this issue.
I pushed the check into hyperdb.py::Class::history(). It now checks
for View access on the property. If there is no View access, the
journal entry is not shown. (setting enforceperm = False in the
history call skips the check).
I also pushed the filtering of quiet properties into the hyperdb from
the templating class. (on by default, calling it with skipquiet=False
reports the quiet props).
I had to fix up a few other calls to history to disable the filtering
(e.g. the code that backs the roundup-admin export function).
If you get a chance to try it.
|
|
Date |
User |
Action |
Args |
2017-04-15 03:36:02 | rouilj | set | status: new -> fixed resolution: fixed messages:
+ msg5955 nosy:
+ rouilj |
2017-04-09 03:34:52 | rouilj | set | assignee: rouilj |
2015-01-14 04:13:01 | jerrykan | create | |
|