Changeset 2431 for WAeUP_SRP/base

Timestamp:

25 Oct 2007, 13:17:45 (17 years ago)

Author:

Henrik Bettermann

Message:

close security holes

Location:

WAeUP_SRP/base/skins

Files:

• waeup_statistics/getNewStudentStatistics.py (modified) (6 diffs)
• waeup_statistics/getRetStudentStatistics.py (modified) (1 diff)
• waeup_statistics/getSimpleStudentStatistics.py (modified) (1 diff)
• waeup_student/search_students.py (modified) (1 diff)

WAeUP_SRP/base/skins/waeup_statistics/getNewStudentStatistics.py

@@ -18 +18 @@
 logger.info('%s invoked statistics' % context.portal_membership.getAuthenticatedMember())
 if not context.isStaff():
-    return 'Not allowed'
+    return
 
 entry_sessions = ('-1','06','6')
 
-# students with entry_session None (-1) are interprteted as new AND returning students if they are 
+# students with entry_session None (-1) are interprteted as new AND returning students if they are
 # in either of the last three states
 
@@ -65 +65 @@
     else:
         dict[statepercent] = 0
-        
+
     # part_time
     res_pt = context.students_catalog(entry_session = entry_sessions, review_state = state,  mode = part_time)
@@ -74 +74 @@
         dict[statepercent] = "%.0f" % round(dict[state_pt]*100.0/dict['total_pt'])
     else:
-        dict[statepercent] = 0        
-        
+        dict[statepercent] = 0
+
 l.append(dict)
 
@@ -86 +86 @@
     dict['total_ft'] = len(res_ft)
     res_pt = context.students_catalog(entry_session = entry_sessions, faculty = f.getId, mode = part_time)
-    dict['total_pt'] = len(res_pt)    
+    dict['total_pt'] = len(res_pt)
     for state in new_states:
         # full_time
@@ -97 +97 @@
         else:
             dict[statepercent] = 0
-            
+
         # part_time
         res_pt = context.students_catalog(entry_session = entry_sessions, faculty = f.getId, review_state = state, mode = part_time)
@@ -106 +106 @@
             dict[statepercent] = "%.0f" % round(dict[state_pt]*100.0/dict['total_pt'])
         else:
-            dict[statepercent] = 0            
-            
+            dict[statepercent] = 0
+
     l.append(dict)
 

WAeUP_SRP/base/skins/waeup_statistics/getRetStudentStatistics.py

@@ -18 +18 @@
 logger.info('%s invoked statistics' % context.portal_membership.getAuthenticatedMember())
 if not context.isStaff():
-    return 'Not allowed'
+    return
 
 entry_sessions = ('-1','94','95','96','97','98','99','00','01','02','03','04','05','0','1','2','3','4','5')

WAeUP_SRP/base/skins/waeup_statistics/getSimpleStudentStatistics.py

@@ -18 +18 @@
 logger.info('%s invoked statistics' % context.portal_membership.getAuthenticatedMember())
 if not context.isStaff():
-    return 'Not allowed'
+    return
 
 #entry_sessions = ('-1','94','95','96','97','98','99','00','01','02','03','04','05','0','1','2','3','4','5')

WAeUP_SRP/base/skins/waeup_student/search_students.py

@@ -29 +29 @@
 
 allowed = True
-if is_anon:
+if is_anon or context.isStudent():
     allowed = False
 from Products.AdvancedQuery import Eq, Between, Le,In