# HG changeset patch
# User Sylvain Thénault <sylvain.thenault@logilab.fr>
# Date 1280214840 -7200
# Node ID 0eabedcfb0a98621a00d563a968a0369cbea108b
# Parent  a5e22657f6f44d31582431ea8718c3767dc5c155
[security] do not show sessions information to non managers users. Close security ticket #38246

diff -r a5e22657f6f4 -r 0eabedcfb0a9 web/views/debug.py
--- a/web/views/debug.py	Mon Jul 26 15:04:47 2010 +0200
+++ b/web/views/debug.py	Tue Jul 27 09:14:00 2010 +0200
@@ -89,7 +89,7 @@
                    % (element, xml_escape(unicode(stats[element])),
                       element.endswith('percent') and '%' or '' ))
         w(u'</table>')
-        if req.cnx._cnxtype == 'inmemory':
+        if req.cnx._cnxtype == 'inmemory' and req.user.is_in_group('managers'):
             w(u'<h3>%s</h3>' % _('opened sessions'))
             sessions = repo._sessions.values()
             if sessions:
@@ -112,21 +112,22 @@
         w(u'<tr><th align="left">%s</th><td>%s</td></tr>' % (
             _('data directory url'), req.datadir_url))
         w(u'</table>')
-        from cubicweb.web.application import SESSION_MANAGER
-        sessions = SESSION_MANAGER.current_sessions()
-        w(u'<h3>%s</h3>' % _('opened web sessions'))
-        if sessions:
-            w(u'<ul>')
-            for session in sessions:
-                w(u'<li>%s (%s: %s)<br/>' % (
-                    session.sessionid,
-                    _('last usage'),
-                    strftime(dtformat, localtime(session.last_usage_time))))
-                dict_to_html(w, session.data)
-                w(u'</li>')
-            w(u'</ul>')
-        else:
-            w(u'<p>%s</p>' % _('no web sessions found'))
+        if req.user.is_in_group('managers'):
+            from cubicweb.web.application import SESSION_MANAGER
+            sessions = SESSION_MANAGER.current_sessions()
+            w(u'<h3>%s</h3>' % _('opened web sessions'))
+            if sessions:
+                w(u'<ul>')
+                for session in sessions:
+                    w(u'<li>%s (%s: %s)<br/>' % (
+                        session.sessionid,
+                        _('last usage'),
+                        strftime(dtformat, localtime(session.last_usage_time))))
+                    dict_to_html(w, session.data)
+                    w(u'</li>')
+                w(u'</ul>')
+            else:
+                w(u'<p>%s</p>' % _('no web sessions found'))