merge(ish) from HEAD

Richard Jones · Richard Jones · commit 92e3f6a361e4 · 2004-11-05T04:57:50.000Z
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -10,6 +10,7 @@ Fixed:
 - s/Modifed/Modified (thanks donfu)
 - applied patch fixing some form handling issues in ZRoundup (thanks Chris
   Withers)
+- enforce View Permission when serving file content (sf bug 1050470)
 
 
 2004-10-15 0.7.8
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.176.2.6 2004-10-26 07:59:28 richard Exp $
+# $Id: client.py,v 1.176.2.7 2004-11-05 04:57:50 richard Exp $
 
 """WWW request handler (also used in the stand-alone server).
 """
@@ -445,6 +445,11 @@ def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')):
         if not props.has_key('content'):
             raise NotFound, designator
 
+        # make sure we have permission
+        if not self.db.security.hasPermission('View', self.userid, classname):
+            raise Unauthorised, self._("You are not allowed to view "
+                "this file.")
+
         mime_type = klass.get(nodeid, 'type')
         content = klass.get(nodeid, 'content')
         lmt = klass.get(nodeid, 'activity').timestamp()
