[Pypi-checkins] r829 - trunk/pypi
georg.brandl
python-checkins at python.org
Mon Jul 26 17:48:41 CEST 2010
Author: georg.brandl
Date: Mon Jul 26 17:48:41 2010
New Revision: 829
Modified:
trunk/pypi/webui.py
Log:
Check for sufficient user rights on role form submit.
Modified: trunk/pypi/webui.py
==============================================================================
--- trunk/pypi/webui.py (original)
+++ trunk/pypi/webui.py Mon Jul 26 17:48:41 2010
@@ -935,6 +935,11 @@
user_name = self.form['user_name']
role_name = self.form['role_name']
+ # make sure only admins and owners can add roles
+ if not (self.store.has_role('Admin', package_name) or
+ self.store.has_role('Owner', package_name)):
+ raise Unauthorised
+
# further vali:dation
if role_name not in ('Owner', 'Maintainer'):
raise FormError, 'role_name not Owner or Maintainer'
More information about the Pypi-checkins
mailing list