Anonymous user can no longer edit or view itself.

This fixes a security bug [SF#828901].

Author: Johannes Gijsbers

roundup/cgi/client.py

@@ -1,4 +1,4 @@
-# $Id: client.py,v 1.130.2.2 2003-08-28 04:53:04 richard Exp $
+# $Id: client.py,v 1.130.2.3 2003-10-24 09:31:13 jlgijsbers Exp $
 
 __doc__ = """
 WWW request handler (also used in the stand-alone server).
@@ -1031,7 +1031,8 @@ def editItemPermission(self, props):
                     'user'):
                 return 0
             # if the item being edited is the current user, we're ok
-            if self.nodeid == self.userid:
+            if (self.nodeid == self.userid
+                and self.db.user.get(self.nodeid, 'username') != 'anonymous'):
                 return 1
         if self.db.security.hasPermission('Edit', self.userid, self.classname):
             return 1

roundup/cgi/templating.py

@@ -807,14 +807,16 @@ def is_edit_ok(self):
             Also check whether this is the current user's info.
         '''
         return self._db.security.hasPermission('Edit', self._client.userid,
-            self._classname) or self._nodeid == self._client.userid
+            self._classname) or (self._nodeid == self._client.userid and
+            self._db.user.get(self._client.userid, 'username') != 'anonymous')
 
     def is_view_ok(self):
         ''' Is the user allowed to View the current class?
             Also check whether this is the current user's info.
         '''
         return self._db.security.hasPermission('Edit', self._client.userid,
-            self._classname) or self._nodeid == self._client.userid
+            self._classname) or (self._nodeid == self._client.userid and
+            self._db.user.get(self._client.userid, 'username') != 'anonymous')
 
 class HTMLProperty:
     ''' String, Number, Date, Interval HTMLProperty