changeset 2369:ccf996479233

fix a suid bug: force switched-to user valid
author Johannes Berg <johannes AT sipsolutions DOT net>
date Thu, 12 Jul 2007 11:41:35 +0200
parents 5fc0717a060f
children 6d9970321d79
files MoinMoin/request/__init__.py MoinMoin/userprefs/prefs.py MoinMoin/userprefs/suid.py
diffstat 3 files changed, 10 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/request/__init__.py	Thu Jul 12 11:41:09 2007 +0200
+++ b/MoinMoin/request/__init__.py	Thu Jul 12 11:41:35 2007 +0200
@@ -240,7 +240,9 @@
                 self._setuid_real_user = self.user
                 uid = self.session['setuid']
                 self.user = user.User(self, uid, auth_method='setuid')
-                self.user.disabled = False
+                # set valid to True so superusers can even switch
+                # to disable accounts
+                self.user.valid = True
 
             if self.action != 'xmlrpc':
                 if not self.forbidden and self.isForbidden():
--- a/MoinMoin/userprefs/prefs.py	Thu Jul 12 11:41:09 2007 +0200
+++ b/MoinMoin/userprefs/prefs.py	Thu Jul 12 11:41:35 2007 +0200
@@ -203,6 +203,10 @@
 
         # save data
         theuser.save()
+        if theuser.disabled:
+            # set valid to false so the current request won't
+            # show the user as logged-in any more
+            theuser.valid = False
         self.request.user = theuser
 
         result = _("User preferences saved!")
--- a/MoinMoin/userprefs/suid.py	Thu Jul 12 11:41:09 2007 +0200
+++ b/MoinMoin/userprefs/suid.py	Thu Jul 12 11:41:35 2007 +0200
@@ -48,7 +48,9 @@
                 self.request._setuid_real_user = None
             else:
                 theuser = user.User(self.request, uid, auth_method='setuid')
-                theuser.disabled = None
+                # set valid to True so superusers can even switch
+                # to disable accounts
+                theuser.valid = True
                 self.request.session['setuid'] = uid
                 self.request._setuid_real_user = self.request.user
                 # now continue as the other user