changeset 2582:66add9e5bec7

if attachment upload uses overwrite mode, we have to check for delete rights, not only for write rights
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 30 Jul 2007 18:07:20 +0200
parents 67aeed6f77ce
children dd005fd66306
files MoinMoin/action/AttachFile.py docs/CHANGES
diffstat 2 files changed, 16 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/action/AttachFile.py	Sun Jul 29 20:17:24 2007 +0200
+++ b/MoinMoin/action/AttachFile.py	Mon Jul 30 18:07:20 2007 +0200
@@ -554,9 +554,16 @@
         else:
             msg = _('You are not allowed to save a drawing on this page.')
     elif do == 'upload':
-        if request.user.may.write(pagename):
+        overwrite = 0
+        if 'overwrite' in request.form:
+            try:
+                overwrite = int(request.form['overwrite'][0])
+            except:
+                pass
+        if (not overwrite and request.user.may.write(pagename)) or \
+           (overwrite and request.user.may.write(pagename) and request.user.may.delete(pagename)):
             if 'file' in request.form:
-                do_upload(pagename, request)
+                do_upload(pagename, request, overwrite)
             else:
                 # This might happen when trying to upload file names
                 # with non-ascii characters on Safari.
@@ -625,7 +632,7 @@
     request.theme.send_footer(pagename)
     request.theme.send_closing_html()
 
-def do_upload(pagename, request):
+def do_upload(pagename, request, overwrite):
     _ = request.getText
 
     # make filename
@@ -635,12 +642,6 @@
     rename = None
     if 'rename' in request.form:
         rename = request.form['rename'][0].strip()
-    overwrite = 0
-    if 'overwrite' in request.form:
-        try:
-            overwrite = int(request.form['overwrite'][0])
-        except:
-            pass
 
     # if we use twisted, "rename" field is NOT optional, because we
     # can't access the client filename
--- a/docs/CHANGES	Sun Jul 29 20:17:24 2007 +0200
+++ b/docs/CHANGES	Mon Jul 30 18:07:20 2007 +0200
@@ -28,6 +28,12 @@
     and improving it and after having made a backup with some other, proven
     method. USE BOTH ON YOUR OWN RISK!
 
+Version 1.5.current:
+  Bugfixes:
+    * AttachFile overwrite mode (introduced in 1.5.7) did not check delete
+      rights, but only write rights. Now it checks that the user has write AND
+      delete rights before overwriting a file.
+
 Version 1.7.current:
     This is the active development branch. All changes get done here and
     critical stuff gets committed with -m "... (backport needed)" and then