Roundup Tracker - Issues

Message5184

Author jerrykan
Recipients jerrykan
Date 2015-01-14.04:12:59
Message-id <1421208781.53.0.790557709125.issue2550864@psf.upfronthosting.co.za>
In-reply-to 
Roundup provides the ability to manage access to each of a classes
properties (ie. View, Edit, etc.). For properties that users do not have
View permissions for the current value of a property will be displayed
as '[hidden]' in the node journal/history. The problem is that
older/previous values for the same property are not sanitised at all, so
users can view information that they probably should not be able to.

example:
Date                 User     Action  Args
2015-01-12 02:27:11  user1    set     secure_prop: Old Value2 -> [hidden]
2015-01-12 02:26:48  user1    set     secure_prop: Old Value -> Old Value2
2015-01-12 02:26:43  user1    set     secure_prop: Old Value

Ideally the properties that users do not have View access to should
probably not appear in the journal/history at all.
History
Date User Action Args
2015-01-14 04:13:01jerrykansetrecipients: + jerrykan
2015-01-14 04:13:01jerrykansetmessageid: <1421208781.53.0.790557709125.issue2550864@psf.upfronthosting.co.za>
2015-01-14 04:13:01jerrykanlinkissue2550864 messages
2015-01-14 04:13:00jerrykancreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020