Edit detail for #485 when using regulations, comments also require change regulations permission revision 1 of 1

1
Editor: simon
Time: 2003/04/21 17:04:31 GMT+0
Note: fixed for 0.18

changed:
-
Since the append method calls edit, and edit uses p._handleSetRegulations to check for regulation permissions, anonymous users cannot submit comments unless they have regulation permissions.  This would be a major security hazard.

<b>-</b> --2003/04/07 18:41 GMT<br>
Workaround:
Give Regulation permissions to anonymous, but revoke view permissions to editform.

<b>(property change)</b> --SimonMichael, 2003/04/14 17:16 GMT<br>
Severity: serious => normal 


<b>try this</b> --simon, 2003/04/14 17:37 GMT<br>
I see what you're saying though - _handleSetRegulations tries to set regulations when it shouldn't. Pending a better idea from someone, see if this fixes it for you::

    def _handleSetRegulations(self,REQUEST):
        if REQUEST.get('who_owns_subs',None) != None:
            # do we have permission ?
            if not self._checkPermission(Permissions.ChangeRegs,self):
                raise 'Unauthorized', (
                  _("You are not authorized to set this ZWiki Page's regulations."))
            self.setRegulations(REQUEST)
            self._preRender(clear_cache=1)
 

<b>(property change)</b> --simon, 2003/04/14 17:39 GMT<br>
Title: 'IssueNo0485 Anonymous Comments require Anonymous Regulation permissions' => 'IssueNo0485 when using regulations, comments also require change regulations permission' 


<b>fixed for 0.18</b> --simon, 2003/04/21 17:04 GMT<br>
Status: open => closed 


Submitted by : simon at: 2003-10-26T21:32:00+00:00 (17 years ago)
Name :
Category : Severity : Status :
Optional subject :  
Optional comment :

Since the append method calls edit, and edit uses p._handleSetRegulations to check for regulation permissions, anonymous users cannot submit comments unless they have regulation permissions. This would be a major security hazard.

- --2003/04/07 18:41 GMT
Workaround: Give Regulation permissions to anonymous, but revoke view permissions to editform.

(property change) --SimonMichael, 2003/04/14 17:16 GMT
Severity: serious => normal

try this --simon, 2003/04/14 17:37 GMT
I see what you're saying though - _handleSetRegulations tries to set regulations when it shouldn't. Pending a better idea from someone, see if this fixes it for you:

    def _handleSetRegulations(self,REQUEST):
        if REQUEST.get('who_owns_subs',None) != None:
            # do we have permission ?
            if not self._checkPermission(Permissions.ChangeRegs,self):
                raise 'Unauthorized', (
                  _("You are not authorized to set this ZWiki Page's regulations."))
            self.setRegulations(REQUEST)
            self._preRender(clear_cache=1)

(property change) --simon, 2003/04/14 17:39 GMT
Title: IssueNo0485 Anonymous Comments require Anonymous Regulation permissions => IssueNo0485 when using regulations, comments also require change regulations permission

fixed for 0.18 --simon, 2003/04/21 17:04 GMT
Status: open => closed