Mercurial > p > roundup > code
comparison roundup/cgi/actions.py @ 3013:80ecc86dc45d maint-0.8
merge from HEAD
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Wed, 15 Dec 2004 00:07:58 +0000 |
| parents | 3dca84b1a8f5 |
| children | 326ad9da0b75 |
comparison
equal
deleted
inserted
replaced
| 3011:c49d0724fc3c | 3013:80ecc86dc45d |
|---|---|
| 1 #$Id: actions.py,v 1.40 2004-11-23 22:45:13 richard Exp $ | 1 #$Id: actions.py,v 1.40.2.1 2004-12-15 00:03:36 richard Exp $ |
| 2 | 2 |
| 3 import re, cgi, StringIO, urllib, Cookie, time, random | 3 import re, cgi, StringIO, urllib, Cookie, time, random |
| 4 | 4 |
| 5 from roundup import hyperdb, token, date, password, rcsv | 5 from roundup import hyperdb, token, date, password, rcsv |
| 6 from roundup.i18n import _ | 6 from roundup.i18n import _ |
| 57 raise exceptions.Unauthorised, self._( | 57 raise exceptions.Unauthorised, self._( |
| 58 'You do not have permission to ' | 58 'You do not have permission to ' |
| 59 '%(action)s the %(classname)s class.')%info | 59 '%(action)s the %(classname)s class.')%info |
| 60 | 60 |
| 61 _marker = [] | 61 _marker = [] |
| 62 def hasPermission(self, permission, classname=_marker): | 62 def hasPermission(self, permission, classname=_marker, itemid=None): |
| 63 """Check whether the user has 'permission' on the current class.""" | 63 """Check whether the user has 'permission' on the current class.""" |
| 64 if classname is self._marker: | 64 if classname is self._marker: |
| 65 classname = self.client.classname | 65 classname = self.client.classname |
| 66 return self.db.security.hasPermission(permission, self.client.userid, | 66 return self.db.security.hasPermission(permission, self.client.userid, |
| 67 classname) | 67 classname=classname, itemid=itemid) |
| 68 | 68 |
| 69 def gettext(self, msgid): | 69 def gettext(self, msgid): |
| 70 """Return the localized translation of msgid""" | 70 """Return the localized translation of msgid""" |
| 71 return self.client.translator.gettext(msgid) | 71 return self.client.translator.gettext(msgid) |
| 72 | 72 |
| 156 key = self.db.query.getkey() | 156 key = self.db.query.getkey() |
| 157 if key: | 157 if key: |
| 158 # edit the old way, only one query per name | 158 # edit the old way, only one query per name |
| 159 try: | 159 try: |
| 160 qid = self.db.query.lookup(queryname) | 160 qid = self.db.query.lookup(queryname) |
| 161 if not self.hasPermission('Edit', self.classname, | |
| 162 itemid=qid): | |
| 163 raise exceptions.Unauthorised, self._( | |
| 164 "You do not have permission to edit queries") | |
| 161 self.db.query.set(qid, klass=self.classname, url=url) | 165 self.db.query.set(qid, klass=self.classname, url=url) |
| 162 except KeyError: | 166 except KeyError: |
| 163 # create a query | 167 # create a query |
| 168 if not self.hasPermission('Create', self.classname): | |
| 169 raise exceptions.Unauthorised, self._( | |
| 170 "You do not have permission to store queries") | |
| 164 qid = self.db.query.create(name=queryname, | 171 qid = self.db.query.create(name=queryname, |
| 165 klass=self.classname, url=url) | 172 klass=self.classname, url=url) |
| 166 else: | 173 else: |
| 167 # edit the new way, query name not a key any more | 174 # edit the new way, query name not a key any more |
| 168 # see if we match an existing private query | 175 # see if we match an existing private query |
| 178 if qids: | 185 if qids: |
| 179 # edit query - make sure we get an exact match on the name | 186 # edit query - make sure we get an exact match on the name |
| 180 for qid in qids: | 187 for qid in qids: |
| 181 if queryname != self.db.query.get(qid, 'name'): | 188 if queryname != self.db.query.get(qid, 'name'): |
| 182 continue | 189 continue |
| 190 if not self.hasPermission('Edit', self.classname, | |
| 191 itemid=qid): | |
| 192 raise exceptions.Unauthorised, self._( | |
| 193 "You do not have permission to edit queries") | |
| 183 self.db.query.set(qid, klass=self.classname, url=url) | 194 self.db.query.set(qid, klass=self.classname, url=url) |
| 184 else: | 195 else: |
| 185 # create a query | 196 # create a query |
| 197 if not self.hasPermission('Create', self.classname): | |
| 198 raise exceptions.Unauthorised, self._( | |
| 199 "You do not have permission to store queries") | |
| 186 qid = self.db.query.create(name=queryname, | 200 qid = self.db.query.create(name=queryname, |
| 187 klass=self.classname, url=url, private_for=uid) | 201 klass=self.classname, url=url, private_for=uid) |
| 188 | 202 |
| 189 # and add it to the user's query multilink | 203 # and add it to the user's query multilink |
| 190 queries = self.db.user.get(self.userid, 'queries') | 204 queries = self.db.user.get(self.userid, 'queries') |
| 466 if props.has_key('roles') and not self.hasPermission('Web Roles'): | 480 if props.has_key('roles') and not self.hasPermission('Web Roles'): |
| 467 raise exceptions.Unauthorised, self._( | 481 raise exceptions.Unauthorised, self._( |
| 468 "You do not have permission to edit user roles") | 482 "You do not have permission to edit user roles") |
| 469 if self.isEditingSelf(): | 483 if self.isEditingSelf(): |
| 470 return 1 | 484 return 1 |
| 471 if self.hasPermission('Edit'): | 485 if self.hasPermission('Edit', itemid=self.nodeid): |
| 472 return 1 | 486 return 1 |
| 473 return 0 | 487 return 0 |
| 474 | 488 |
| 475 def newItemPermission(self, props): | 489 def newItemPermission(self, props): |
| 476 """Determine whether the user has permission to create this item. | 490 """Determine whether the user has permission to create this item. |