2
# User Thomas Waldmann <tw AT waldmann-edv DOT de>
3
# Date Mon Apr 02 23:05:14 2007 +0200
4
# Node ID 0e41a0429ee13f5bba8bca418bc5898df91c91f7
5
# parent: 5e758e78e32797bb9625bb210572881ac3841f23
6
MonthCalendar: ACL security fix
8
--- a/MoinMoin/macro/MonthCalendar.py Sun Mar 18 23:14:08 2007 +0100
9
+++ b/MoinMoin/macro/MonthCalendar.py Mon Apr 02 23:05:14 2007 +0200
10
@@ -389,7 +389,7 @@ def execute(macro, text):
12
link = "%s/%4d-%02d-%02d" % (page, year, month, day)
13
daypage = Page(request, link)
14
- if daypage.exists():
15
+ if daypage.exists() and request.user.may.read(link):
16
csslink = "cal-usedday"
18
r, g, b, u = (255, 0, 0, 1)
19
--- a/docs/CHANGES Sun Mar 18 23:14:08 2007 +0100
20
+++ b/docs/CHANGES Mon Apr 02 23:05:14 2007 +0200
21
@@ -37,6 +37,7 @@ Version 1.5.current:
22
does when clicking on those links.
25
+ * ACL security fix: MonthCalendar respects ACLs of day pages now
26
* Symbolic entities with numbers (like ²) did not work, fixed.
27
* Correct encoding/decoding for surge-log data, fixes leftover
28
surge-logXXXXXXX.tmp files in data/cache/surgeprotect.