html/query.item.html was missing checks to verify that a query should

be visible to the user. This is fixed and users can only view queries
that they own or that are not private.

Author: rouilj

CHANGES.txt

@@ -457,6 +457,9 @@ Fixed:
 - CSRF protection broke the retire function for query edit. Fix
   javascript and make sure csrf tokens are provided in the right
   places. (John Rouillard)
+- query.item.html was missing checks to verify that a query should
+  be visible to the user. This is fixed and users can only view
+  queries that they own or that are not private. (John Rouillard)
 
 2016-01-11: 1.5.1
 

doc/upgrading.txt

@@ -518,6 +518,19 @@ interface. Once in the "Queries I created" section and again in the
 "Queries others created" section of the query edit page
 (``http..../query?@template=edit``).
 
+Fix security issues in query.item.html template
+-----------------------------------------------
+The default query.item.html template allows anybody to view all
+queries.
+
+This has been updated in the classic, devel and responsive templates
+to only allow people to view queries they creates or queries that are
+publicly viewable.
+
+If you haven't modified you query.item.html template, simply copy the
+query.item.html template from one of the above default templates to
+your tracker's html directory.
+
 Enhancement to check command for Permissions
 --------------------------------------------
 

share/roundup/templates/classic/html/query.item.html

@@ -1,3 +1,15 @@
 <!-- query.item -->
-<span tal:replace="structure context/renderQueryForm" />
-
+<span tal:condition="context/is_view_ok" tal:replace="structure
+      context/renderQueryForm" />
+<tal:block tal:condition="not:context/is_view_ok">
+  <tal:block metal:use-macro="templates/page/macros/icing">
+    <title metal:fill-slot="head_title">You can not view query</title>
+    <tal:block metal:fill-slot="body_title">
+      You can not view query.
+    </tal:block>
+    <td class="content" metal:fill-slot="content">
+      You are not allowed to view <span tal:content="context/_classname"/>
+      with id <span tal:content="context/id"/>
+    </td>
+  </tal:block>
+</tal:block>

share/roundup/templates/devel/html/query.item.html

@@ -1,3 +1,15 @@
 <!-- query.item -->
-<span tal:replace="structure context/renderQueryForm" />
-
+<span tal:condition="context/is_view_ok" tal:replace="structure
+      context/renderQueryForm" />
+<tal:block tal:condition="not:context/is_view_ok">
+  <tal:block metal:use-macro="templates/page/macros/icing">
+    <title metal:fill-slot="head_title">You can not view query</title>
+    <tal:block metal:fill-slot="body_title">
+      You can not view query.
+    </tal:block>
+    <td class="content" metal:fill-slot="content">
+      You are not allowed to view <span tal:content="context/_classname"/>
+      with id <span tal:content="context/id"/>
+    </td>
+  </tal:block>
+</tal:block>

share/roundup/templates/responsive/html/query.item.html

@@ -1,3 +1,15 @@
 <!-- query.item -->
-<span tal:replace="structure context/renderQueryForm" />
-
+<span tal:condition="context/is_view_ok" tal:replace="structure
+      context/renderQueryForm" />
+<tal:block tal:condition="not:context/is_view_ok">
+  <tal:block metal:use-macro="templates/page/macros/icing">
+    <title metal:fill-slot="head_title">You can not view query</title>
+    <tal:block metal:fill-slot="body_title">
+      You can not view query.
+    </tal:block>
+    <td class="content" metal:fill-slot="content">
+      You are not allowed to view <span tal:content="context/_classname"/>
+      with id <span tal:content="context/id"/>
+    </td>
+  </tal:block>
+</tal:block>