Mercurial Mercurial > pub > hg > cubicweb / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
cubicweb security #36257: les urls /add/EntityName sont accessibles en anonyme stable
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Fri, 18 Dec 2009 15:59:19 +0100
branchstable
changeset 4148 748454627176
parent 4134 40624a708dd4
child 4174 860f622a31aa
child 4176 42247d70105b
child 4181 c79135c217df
cubicweb security #36257: les urls /add/EntityName sont accessibles en anonyme
selectors.py file | annotate | diff | comparison | revisions 
--- a/selectors.py	Fri Dec 18 13:28:20 2009 +0100
+++ b/selectors.py	Fri Dec 18 15:59:19 2009 +0100
@@ -621,7 +621,12 @@
                     req.form['etype'] = etype
                 except KeyError:
                     return 0
-        return self.score_class(cls.vreg['etypes'].etype_class(etype), req)
+        score = self.score_class(cls.vreg['etypes'].etype_class(etype), req)
+        if score:
+            eschema = req.vreg.schema.eschema(etype)
+            if eschema.has_local_role('add') or eschema.has_perm(req, 'add'):
+                return score
+        return 0
 
 
 class entity_implements(ImplementsMixIn, EntitySelector):
cubicweb