[Mpuls-commits] r5572 - in base/trunk/mpulsweb: controllers templates/usersettings
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Fri Nov 11 18:26:48 CET 2011
Author: bh
Date: 2011-11-11 18:26:47 +0100 (Fri, 11 Nov 2011)
New Revision: 5572
Modified:
base/trunk/mpulsweb/controllers/usersettings.py
base/trunk/mpulsweb/templates/usersettings/edit_standin.mako
Log:
Do not pass the user id as around when changing the user's standins.
All actions in UsersettingsController are only used to operate on the
user currently logged in, so there's no need to pass in the id of the
user whose settings are to be changed. In the particular case of editing
standins, this is even part of a security problem because it could allow
users to change the standins of other users (see mpuls/issue852).
The change in edit_standin.mako makes sure that the URL generated for
editStandinAction does not include the ID. It would do that because it
relied on routes memory.
This commit fixes the part of usersettings part of mpuls/issue2367
It also fixes the web-application part of mpuls/issue852.
Modified: base/trunk/mpulsweb/controllers/usersettings.py
===================================================================
--- base/trunk/mpulsweb/controllers/usersettings.py 2011-11-11 16:50:05 UTC (rev 5571)
+++ base/trunk/mpulsweb/controllers/usersettings.py 2011-11-11 17:26:47 UTC (rev 5572)
@@ -135,14 +135,13 @@
return render('/usersettings/dialogs/notificate_setpassword.mako')
@checkRole('cm')
- def editStandin(self, id):
- id = self._checkInt(id)
+ def editStandin(self):
c.form_errors = {}
c.form_result = {}
ulo = UserListObject()
ug = UserGroupList()
- c.uo = UserObject(id)
user = session['USER_AUTHORIZED']
+ c.uo = UserObject(user.id)
# Get available users for standin. filter out admins and the current
# user
filter = [u.gid for u in ulo.getAdminList()]
@@ -155,7 +154,7 @@
validator = BaseFormValidator()
try:
c.form_result = validator.to_python(request.params)
- c.uo = UserObject(c.form_result.get('uid'))
+ c.uo = UserObject(h.getUserId())
c.uo.setStandin(c.form_result.get('standin') or None)
#TODO: Update the value for the logged in session user
except formencode.Invalid, error:
Modified: base/trunk/mpulsweb/templates/usersettings/edit_standin.mako
===================================================================
--- base/trunk/mpulsweb/templates/usersettings/edit_standin.mako 2011-11-11 16:50:05 UTC (rev 5571)
+++ base/trunk/mpulsweb/templates/usersettings/edit_standin.mako 2011-11-11 17:26:47 UTC (rev 5572)
@@ -17,7 +17,8 @@
<div id="waska_form">
<p>${_('Here you can configure, which user at creation of a new case document is your standin. You can select a user or a group of users. These user have also access to this case document. This configuration has no effect on your current cases.')}</p>
<br>
-<form action="${h.url_for(action="editStandinAction")}" method="POST">
+<form action="${h.url_for(controller='/usersettings', action='editStandinAction')}"
+ method="POST">
<div class="waska_form_element w100">
<label
for="standin">${_('Standin')}</label><br>
@@ -36,7 +37,6 @@
% endif
</select>
</div>
- <input type="hidden" name="uid" value="${h.getUserId()}">
<input class="btn_space" type="submit" value="${_('Change standin')}">
</form>
</div>
More information about the Mpuls-commits
mailing list