[Tracker-discuss] [issue267] Make the 'remove' buttons less annoying
Daniel Diniz
metatracker at psf.upfronthosting.co.za
Mon Apr 13 18:55:35 CEST 2009
Daniel Diniz <ajaksu at gmail.com> added the comment:
Martin v. Löwis wrote::
> What's wrong with allowing users to unlink arbitrary files? Anybody who has
> write access to the files property should be allowed to do so.
I thought the write access was about adding new files, while removing
files should be restricted to those the user has created. At least the
UI only renders the 'remove button' according to the permission below:
def may_edit_file(db, userid, itemid):
return userid == db.file.get(itemid, "creator")
p = db.security.addPermission(name='Edit', klass='file', check=may_edit_file,
description="User is allowed to remove their own files")
db.security.addPermissionToRole('User', p)
However, it's possible to perform the Edit action on any files even if
the remove button isn't shown:
http://localhost:9999/python-dev/issue2169?@action=edit&@remove@files=29
IMO this makes it easier to disrupt tracker work, besides making it
trivial replace valid files/patches with exploit-ish ones.
_______________________________________________________
PSF Meta Tracker <metatracker at psf.upfronthosting.co.za>
<http://psf.upfronthosting.co.za/roundup/meta/issue267>
_______________________________________________________
More information about the Tracker-discuss
mailing list