Ticket #1007 (closed defect: fixed)

Opened 14 years ago

Last modified 14 years ago

Wrong security checking on form editing action

Reported by: tziade Owned by: gracinet
Priority: P3 Milestone: CPS 3.4.0
Component: CPSCollector Version: TRUNK
Severity: normal Keywords:
Cc:

Description (last modified by fguillaume) (diff)

in Form.py:

    #   Security Stuff used to raise an exception in skin ------------
    security.declarePrivate('assert_form_private')
    def assert_form_private(self):
        pass

    security.declareProtected(View, 'assert_form_view')
    def assert_form_view(self):
        pass

    security.declareProtected(ModifyPortalContent, 'assert_form_modify')
    def assert_form_modify(self):
        pass

'assert_form_modify' won't let a owner changes its own Form through

the working prox, after it is published.

Change History

comment:1 Changed 14 years ago by tziade

I don't understand why we don't use guards here

comment:2 Changed 14 years ago by gracinet

  • Status changed from new to assigned
  • Owner changed from trac to gracinet

Todo: forward the proxy to methods like process_edit_field and have them call getEditableContent (in case it's frozen)

comment:3 Changed 14 years ago by fguillaume

  • Description modified (diff)

comment:4 Changed 14 years ago by gracinet

See also #1023 and #1067 for more functionnal details.

comment:5 Changed 14 years ago by gracinet

Fixed [28703]. Still needs cleanup and tests.

comment:6 Changed 14 years ago by fguillaume

  • Priority changed from P2 to P3

comment:7 Changed 14 years ago by gracinet

  • Status changed from assigned to closed
  • Resolution set to fixed

Tests were written in [28892]

Note: See TracTickets for help on using tickets.