better check for anonymous viewing of user items [SF#933510]

Richard Jones · Richard Jones · commit 02af4555a37a · 2004-04-12T06:55:41.000Z
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -27,6 +27,7 @@ Fixed:
 - grouping (and sorting) by multilink in RDBMS backends (sf bug 655702)
 - roundup scripts may now be asked for their version (sf rfe 798657)
 - sqlite backend had stopped using the global lock
+- better check for anonymous viewing of user items (sf bug 933510)
 
 
 2004-03-27 0.7.0b2
diff --git a/TODO.txt b/TODO.txt
@@ -1,5 +1,8 @@
 This file contains items that need doing before the next release:
 
+. make Intervals store timestamps, not strings
+
+
 Optionally:
 - have rdbms backends look up the journal for actor if it's not set
 - migrate to numeric ID values (fixes bug 817217)
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
@@ -945,9 +945,10 @@ def _user_perm_check(self, type):
         if getattr(self, '_nodeid', None) == userid and not is_anonymous:
             return 1
 
-        # may anonymous users register?
-        if (is_anonymous and s.hasPermission('Web Registration', userid,
-                self._classname)):
+        # may anonymous users register? (so, they need to be anonymous,
+        # need the Web Rego permission, and not trying to view an item)
+        rego = s.hasPermission('Web Registration', userid, self._classname)
+        if is_anonymous and rego and getattr(self, '_nodeid', None) is None:
             return 1
 
         # nope, no access here
