[Mpuls-commits] r5565 - base/trunk/mpulsweb/controllers
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Thu Nov 10 21:10:18 CET 2011
Author: bh
Date: 2011-11-10 21:10:16 +0100 (Thu, 10 Nov 2011)
New Revision: 5565
Modified:
base/trunk/mpulsweb/controllers/usersettings.py
Log:
Remove id parameter from UsersettingsController.showSettings.
All actions in UsersettingsController are only used to operate on the
user currently logged in, so there's no need to pass in the id of the
user whose settings are to be shown. Also, it's actually a bit of a
security problem because by using the id of another user in the URL, the
showSettings action can be used to find out the login name of other
users, including admins.
The URLs that refer to the showSettings action still include the ID, but
they should still work because the ID will simply be ignored and
showSettings will always show the settings of the current user. All
showSettings URLs generated by mpulsweb use the ID of the current user
so nothing should change for the users.
This commit fixes the main showSettings part of mpuls/issue2367
Modified: base/trunk/mpulsweb/controllers/usersettings.py
===================================================================
--- base/trunk/mpulsweb/controllers/usersettings.py 2011-11-10 20:00:08 UTC (rev 5564)
+++ base/trunk/mpulsweb/controllers/usersettings.py 2011-11-10 20:10:16 UTC (rev 5565)
@@ -57,9 +57,8 @@
return 'Hello, User'
@checkRole(('admin', 'cm', 'pt_dlr', 'pb'))
- def showSettings(self, id):
- id = self._checkInt(id)
- c.uo = UserObject(id)
+ def showSettings(self):
+ c.uo = UserObject(h.getUserId())
c.vuo = UserGroup(c.uo.standin)
return render('/usersettings/show_settings.mako')
More information about the Mpuls-commits
mailing list