Anonymous user can no longer edit or view itself.

Johannes Gijsbers · Johannes Gijsbers · commit 5d6f611738be · 2003-10-24T09:32:19.000Z
This fixes a security bug [SF#828901].
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.142 2003-10-22 16:47:55 jlgijsbers Exp $
+# $Id: client.py,v 1.143 2003-10-24 09:32:19 jlgijsbers Exp $
 
 __doc__ = """
 WWW request handler (also used in the stand-alone server).
@@ -970,7 +970,8 @@ def editItemPermission(self, props):
                     'user'):
                 return 0
             # if the item being edited is the current user, we're ok
-            if self.nodeid == self.userid:
+            if (self.nodeid == self.userid
+                and self.db.user.get(self.nodeid, 'username') != 'anonymous'):
                 return 1
         if self.db.security.hasPermission('Edit', self.userid, self.classname):
             return 1
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
@@ -807,14 +807,16 @@ def is_edit_ok(self):
             Also check whether this is the current user's info.
         '''
         return self._db.security.hasPermission('Edit', self._client.userid,
-            self._classname) or self._nodeid == self._client.userid
+            self._classname) or (self._nodeid == self._client.userid and
+            self._db.user.get(self._client.userid, 'username') != 'anonymous')
 
     def is_view_ok(self):
         ''' Is the user allowed to View the current class?
             Also check whether this is the current user's info.
         '''
         return self._db.security.hasPermission('Edit', self._client.userid,
-            self._classname) or self._nodeid == self._client.userid
+            self._classname) or (self._nodeid == self._client.userid and
+            self._db.user.get(self._client.userid, 'username') != 'anonymous')
 
 class HTMLProperty:
     ''' String, Number, Date, Interval HTMLProperty
