The access check on properties for an instance of a class

rouilj · rouilj · commit 65e7fe07bba6 · 2019-02-16T15:37:14.000-05:00
(e.g. .../user/1) was not correct. As a result the access rights on the
class not the access right to an instance of a class were checked.
This fixes the code so the instance rights are checked the same as
calling: .../user/1/roles would.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -49,6 +49,11 @@ Features:
    - allow user (e.g. in browser) to override response type/Accept
      header using extension in url. E.G. .../issues.json. This fixes
      the existing code so it works.
+   - fix SECURITY issue. Retrieving the item of a class
+     (e.g. /rest/data/user/2) would display properties the user wasn't
+     allowed to access. Note that unlike the web interface,  passwords
+     and roles for users are still retreivable if the user has access
+     rights to the properties.
   (John Rouillard)
 - issue2550833: the export_csv web action now returns labels/names
   rather than id's. Replace calls to export_csv with the export_csv_id
diff --git a/roundup/rest.py b/roundup/rest.py
@@ -494,7 +494,7 @@ def get_element(self, class_name, item_id, input):
                 for prop_name in props
                 if self.db.security.hasPermission(
                     'View', self.db.getuid(), class_name, prop_name,
-                )
+                        item_id )
             ]
         except KeyError as msg:
             raise UsageError("%s field not valid" % msg)

Original file line number	Diff line number	Diff line change
`@@ -494,7 +494,7 @@ def get_element(self, class_name, item_id, input):`
`494`	`494`	`for prop_name in props`
`495`	`495`	`if self.db.security.hasPermission(`
`496`	`496`	`'View', self.db.getuid(), class_name, prop_name,`
`497`		`- )`
	`497`	`+ item_id )`
`498`	`498`	`]`
`499`	`499`	`except KeyError as msg:`
`500`	`500`	`raise UsageError("%s field not valid" % msg)`