Mercurial > p > roundup > code
annotate roundup/actions.py @ 5222:9bf221cebef3
Make properties method return only properties the user can search.
See:
https://sourceforge.net/p/roundup/mailman/roundup-devel/thread/20170405002844.2004B80690%40vm71.cs.umb.edu/#msg35769250
[Roundup-devel] Bug in context/properties, lists properties user can't search.
The HTMLClass::properties() method returns a list of all
properties. This is used when creating sort on/group by filters on
index pages.
However somewhere in the code, a user needs search permission on the
property in order for it to be used for grouping or sorting.
This means the user can choose to sort/group an index page by a
property that they have no search permission for. As a result the
sort/group is ignored. This is confusing.
I have changed the properties method to only return properties the
user has View/Search permissions on. I also added a new cansearch
argument set by default to True. If set to False, all properties
regardless of Search permission are returned.
Doc updated to include the new default operation and mention the use
of cansearch argument.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 05 Apr 2017 21:38:32 -0400 |
| parents | a7541077cf12 |
| children | ed02a1e0aa5d |
| rev | line source |
|---|---|
| 4083 | 1 # |
| 2 # Copyright (C) 2009 Stefan Seefeld | |
| 3 # All rights reserved. | |
| 4 # For license terms see the file COPYING.txt. | |
| 5 # | |
| 6 | |
|
5071
a7541077cf12
Remove 'import *' statement from actions.py
John Kristensen <john@jerrykan.com>
parents:
4357
diff
changeset
|
7 from roundup.exceptions import Unauthorised |
| 4083 | 8 from roundup import hyperdb |
| 9 from roundup.i18n import _ | |
| 10 | |
| 11 class Action: | |
| 12 def __init__(self, db, translator): | |
| 13 self.db = db | |
| 14 self.translator = translator | |
| 15 | |
| 16 def handle(self, *args): | |
| 17 """Action handler procedure""" | |
| 18 raise NotImplementedError | |
| 19 | |
| 20 def execute(self, *args): | |
| 21 """Execute the action specified by this object.""" | |
| 22 | |
| 23 self.permission(*args) | |
| 24 return self.handle(*args) | |
| 25 | |
| 26 | |
| 27 def permission(self, *args): | |
| 28 """Check whether the user has permission to execute this action. | |
| 29 | |
| 30 If not, raise Unauthorised.""" | |
| 31 | |
| 32 pass | |
| 33 | |
| 34 | |
| 35 def gettext(self, msgid): | |
| 36 """Return the localized translation of msgid""" | |
| 37 return self.translator.gettext(msgid) | |
| 38 | |
| 39 | |
| 40 _ = gettext | |
| 41 | |
| 42 | |
| 43 class Retire(Action): | |
| 44 | |
| 45 def handle(self, designator): | |
| 46 | |
| 47 classname, itemid = hyperdb.splitDesignator(designator) | |
| 48 | |
| 49 # make sure we don't try to retire admin or anonymous | |
| 50 if (classname == 'user' and | |
| 51 self.db.user.get(itemid, 'username') in ('admin', 'anonymous')): | |
|
4357
13b3155869e0
Beginnings of a big code cleanup / modernisation to make 2to3 happy
Richard Jones <richard@users.sourceforge.net>
parents:
4125
diff
changeset
|
52 raise ValueError(self._( |
|
13b3155869e0
Beginnings of a big code cleanup / modernisation to make 2to3 happy
Richard Jones <richard@users.sourceforge.net>
parents:
4125
diff
changeset
|
53 'You may not retire the admin or anonymous user')) |
| 4083 | 54 |
| 55 # do the retire | |
| 56 self.db.getclass(classname).retire(itemid) | |
| 57 self.db.commit() | |
| 58 | |
| 59 | |
| 60 def permission(self, designator): | |
| 61 | |
| 62 classname, itemid = hyperdb.splitDesignator(designator) | |
| 63 | |
| 64 if not self.db.security.hasPermission('Edit', self.db.getuid(), | |
| 65 classname=classname, itemid=itemid): | |
| 66 raise Unauthorised(self._('You do not have permission to ' | |
| 4125 | 67 'retire the %(classname)s class.')%classname) |
| 4083 | 68 |