changeset 2832:bda6fe7c015b

respect ACLs when sending <link rel="Appendix" ...> for attachments
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Tue, 11 Sep 2007 19:04:35 +0200
parents 8f21cc746e81
children ea9a38d2ec09
files MoinMoin/theme/__init__.py docs/CHANGES
diffstat 2 files changed, 5 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/theme/__init__.py	Tue Sep 11 18:16:12 2007 +0200
+++ b/MoinMoin/theme/__init__.py	Tue Sep 11 19:04:35 2007 +0200
@@ -1557,7 +1557,9 @@
         request.write(''.join(output))
         output = []
 
-        if pagename:
+        # XXX maybe this should be removed completely. moin emits all attachments as <link rel="Appendix" ...>
+        # and it is at least questionable if this fits into the original intent of rel="Appendix".
+        if pagename and request.user.may.read(pagename):
             from MoinMoin.action import AttachFile
             AttachFile.send_link_rel(request, pagename)
 
--- a/docs/CHANGES	Tue Sep 11 18:16:12 2007 +0200
+++ b/docs/CHANGES	Tue Sep 11 19:04:35 2007 +0200
@@ -556,6 +556,8 @@
     * AttachFile overwrite mode (introduced in 1.5.7) did not check delete
       rights, but only write rights. Now it checks that the user has write AND
       delete rights before overwriting a file.
+    * GetVal respects now ACLs on the Dict page
+    * Respect ACLs when sending <link rel="Appendix" ...> for attachments.
     * Fixed potential XSS issues related to feeding of gui editor.
     * Fixed XSS issue in RenamePage/DeletePage action.