Mercurial > p > roundup > code
comparison roundup/cgi/client.py @ 2870:795cdba40c05
enforce View Permission when serving file content [SF#1050470]
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Fri, 05 Nov 2004 04:55:52 +0000 |
| parents | 930e780c751f |
| children | 0998d1b48182 |
comparison
equal
deleted
inserted
replaced
| 2869:908c27314abf | 2870:795cdba40c05 |
|---|---|
| 1 # $Id: client.py,v 1.195 2004-11-03 09:49:14 a1s Exp $ | 1 # $Id: client.py,v 1.196 2004-11-05 04:55:52 richard Exp $ |
| 2 | 2 |
| 3 """WWW request handler (also used in the stand-alone server). | 3 """WWW request handler (also used in the stand-alone server). |
| 4 """ | 4 """ |
| 5 __docformat__ = 'restructuredtext' | 5 __docformat__ = 'restructuredtext' |
| 6 | 6 |
| 529 if not props.has_key('type'): | 529 if not props.has_key('type'): |
| 530 raise NotFound, designator | 530 raise NotFound, designator |
| 531 if not props.has_key('content'): | 531 if not props.has_key('content'): |
| 532 raise NotFound, designator | 532 raise NotFound, designator |
| 533 | 533 |
| 534 # make sure we have permission | |
| 535 if not self.db.security.hasPermission('View', self.userid, | |
| 536 classname, 'content', nodeid): | |
| 537 raise Unauthorised, self._("You are not allowed to view " | |
| 538 "this file.") | |
| 539 | |
| 534 mime_type = klass.get(nodeid, 'type') | 540 mime_type = klass.get(nodeid, 'type') |
| 535 content = klass.get(nodeid, 'content') | 541 content = klass.get(nodeid, 'content') |
| 536 lmt = klass.get(nodeid, 'activity').timestamp() | 542 lmt = klass.get(nodeid, 'activity').timestamp() |
| 537 | 543 |
| 538 self._serve_file(lmt, mime_type, content) | 544 self._serve_file(lmt, mime_type, content) |