enforce View Permission when serving file content [SF#1050470]

Richard Jones · Richard Jones · commit 74c5c0aaadbb · 2004-11-05T04:55:52.000Z
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -48,8 +48,8 @@ Fixed:
 - loosened the detection of issue cross-references in messages
 - open CSV files in "universal newline" mode
 - s/Modifed/Modified (thanks donfu)
-- applied patch fixing some form handling issues in ZRoundup (thanks Chris
-  Withers)
+- applied patch fixing some form handling issues in ZRoundup (sf bug 995565)
+- enforce View Permission when serving file content (sf bug 1050470)
 
 
 2004-10-15 0.7.8
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.195 2004-11-03 09:49:14 a1s Exp $
+# $Id: client.py,v 1.196 2004-11-05 04:55:52 richard Exp $
 
 """WWW request handler (also used in the stand-alone server).
 """
@@ -531,6 +531,12 @@ def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')):
         if not props.has_key('content'):
             raise NotFound, designator
 
+        # make sure we have permission
+        if not self.db.security.hasPermission('View', self.userid,
+                classname, 'content', nodeid):
+            raise Unauthorised, self._("You are not allowed to view "
+                "this file.")
+
         mime_type = klass.get(nodeid, 'type')
         content = klass.get(nodeid, 'content')
         lmt = klass.get(nodeid, 'activity').timestamp()
