fix security check in mailgw [SF#1442145]

Richard Jones · Richard Jones · commit 6e6a2a102527 · 2006-03-03T00:13:20.000Z
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -20,6 +20,7 @@ Fixed:
 - fix saving of queries (sf bug 1436169)
 - fix "Adding a new constrained field to the classic schema" example in docs
   (sf bug 1433118)
+- fix security check in mailgw (sf bug 1442145)
 
 
 2006-02-10 1.1.0
diff --git a/roundup/mailgw.py b/roundup/mailgw.py
@@ -72,7 +72,7 @@ class node. Any parts of other types are each stored in separate files
 an exception, the original message is bounced back to the sender with the
 explanatory message given in the exception.
 
-$Id: mailgw.py,v 1.173 2006-03-02 23:45:22 richard Exp $
+$Id: mailgw.py,v 1.174 2006-03-03 00:13:20 richard Exp $
 """
 __docformat__ = 'restructuredtext'
 
@@ -851,7 +851,8 @@ def handle_message(self, message):
 
         # make sure they're allowed to edit or create this class of information
         if nodeid:
-            if not self.db.security.hasPermission('Edit', author, classname):
+            if not self.db.security.hasPermission('Edit', author, classname,
+                    itemid=nodeid):
                 raise Unauthorized, 'You are not permitted to '\
                     'edit %s.'%classname
         else:
