changeset 1334:a4efeab7a10f

Added security check to PageEditor.deletePage.
author Alexander Schremmer <alex AT alexanderweb DOT de>
date Sat, 19 Aug 2006 22:34:33 +0200
parents 13955987ef54
children 2cd1b40ea3e7
files MoinMoin/PageEditor.py MoinMoin/action/DeletePage.py
diffstat 2 files changed, 7 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/PageEditor.py	Sat Aug 19 21:09:46 2006 +0200
+++ b/MoinMoin/PageEditor.py	Sat Aug 19 22:34:33 2006 +0200
@@ -509,6 +509,11 @@
         """
         _ = self._
         success = True
+        if not (self.request.user.may.write(self.page_name)
+                and self.request.user.may.delete(self.page_name)):
+            msg = _('You are not allowed to delete this page!')
+            raise self.AccessDenied, msg
+
         try:
             # First save a final backup copy of the current page
             # (recreating the page allows access to the backups again)
--- a/MoinMoin/action/DeletePage.py	Sat Aug 19 21:09:46 2006 +0200
+++ b/MoinMoin/action/DeletePage.py	Sat Aug 19 22:34:33 2006 +0200
@@ -25,6 +25,8 @@
         self.form_trigger_label = _('Delete')
 
     def is_allowed(self):
+        # this is not strictly necessary because the underlying storage code checks
+        # as well
         may = self.request.user.may
         return may.write(self.pagename) and may.delete(self.pagename)