Mercurial > p > roundup > code
comparison roundup/cgi/templating.py @ 3126:a2889d22db4a
the cgi templating code now checks item-level
permissions (per alex's suggestion).
The templates themselves do not have row-level checks now.
Cleaned up the msg and file index templates to use batching.
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Fri, 04 Feb 2005 05:25:50 +0000 |
| parents | 460eb0209a9e |
| children | 021b131bd816 |
comparison
equal
deleted
inserted
replaced
| 3123:5894c7bea8ce | 3126:a2889d22db4a |
|---|---|
| 556 def list(self, sort_on=None): | 556 def list(self, sort_on=None): |
| 557 ''' List all items in this class. | 557 ''' List all items in this class. |
| 558 ''' | 558 ''' |
| 559 # get the list and sort it nicely | 559 # get the list and sort it nicely |
| 560 l = self._klass.list() | 560 l = self._klass.list() |
| 561 sortfunc = make_sort_function(self._db, self.classname, sort_on) | 561 sortfunc = make_sort_function(self._db, self._classname, sort_on) |
| 562 l.sort(sortfunc) | 562 l.sort(sortfunc) |
| 563 | 563 |
| 564 l = [HTMLItem(self._client, self.classname, x) for x in l] | 564 # check perms |
| 565 check = self._client.db.security.hasPermission | |
| 566 userid = self._client.userid | |
| 567 | |
| 568 l = [HTMLItem(self._client, self._classname, id) for id in l | |
| 569 if check('View', userid, self._classname, itemid=id)] | |
| 570 | |
| 565 return l | 571 return l |
| 566 | 572 |
| 567 def csv(self): | 573 def csv(self): |
| 568 ''' Return the items of this class as a chunk of CSV text. | 574 ''' Return the items of this class as a chunk of CSV text. |
| 569 ''' | 575 ''' |
| 603 ''' | 609 ''' |
| 604 if request is not None: | 610 if request is not None: |
| 605 filterspec = request.filterspec | 611 filterspec = request.filterspec |
| 606 sort = request.sort | 612 sort = request.sort |
| 607 group = request.group | 613 group = request.group |
| 614 | |
| 615 check = self._db.security.hasPermission | |
| 616 userid = self._client.userid | |
| 617 | |
| 608 l = [HTMLItem(self._client, self.classname, x) | 618 l = [HTMLItem(self._client, self.classname, x) |
| 609 for x in self._klass.filter(None, filterspec, sort, group)] | 619 for id in self._klass.filter(None, filterspec, sort, group) |
| 620 if check('View', userid, self.classname, itemid=id)] | |
| 610 return l | 621 return l |
| 611 | 622 |
| 612 def classhelp(self, properties=None, label=''"(list)", width='500', | 623 def classhelp(self, properties=None, label=''"(list)", width='500', |
| 613 height='400', property='', form='itemSynopsis'): | 624 height='400', property='', form='itemSynopsis'): |
| 614 '''Pop up a javascript window with class help | 625 '''Pop up a javascript window with class help |
| 1641 l.append('<option %svalue="%s">%s</option>'%(s, optionid, lab)) | 1652 l.append('<option %svalue="%s">%s</option>'%(s, optionid, lab)) |
| 1642 l.append('</select>') | 1653 l.append('</select>') |
| 1643 return '\n'.join(l) | 1654 return '\n'.join(l) |
| 1644 # def checklist(self, ...) | 1655 # def checklist(self, ...) |
| 1645 | 1656 |
| 1657 class MultilinkIterator: | |
| 1658 def __init__(self, classname, client, values): | |
| 1659 self.classname = classname | |
| 1660 self.client = client | |
| 1661 self.values = values | |
| 1662 self.id = -1 | |
| 1663 self.cl = self.client.db.getclass(self.classname) | |
| 1664 def next(self): | |
| 1665 '''Return the next item, but skip inaccessible items.''' | |
| 1666 check = self.client.db.security.hasPermission | |
| 1667 userid = self.client.userid | |
| 1668 while 1: | |
| 1669 self.id += 1 | |
| 1670 if self.id >= len(self.values): | |
| 1671 raise StopIteration | |
| 1672 value = self.values[self.id] | |
| 1673 if check('View', userid, self.classname, itemid=value): | |
| 1674 return HTMLItem(self.client, self.classname, value) | |
| 1675 def __iter__(self): | |
| 1676 return self | |
| 1677 | |
| 1678 | |
| 1646 class MultilinkHTMLProperty(HTMLProperty): | 1679 class MultilinkHTMLProperty(HTMLProperty): |
| 1647 ''' Multilink HTMLProperty | 1680 ''' Multilink HTMLProperty |
| 1648 | 1681 |
| 1649 Also be iterable, returning a wrapper object like the Link case for | 1682 Also be iterable, returning a wrapper object like the Link case for |
| 1650 each entry in the multilink. | 1683 each entry in the multilink. |
| 1663 | 1696 |
| 1664 def __getattr__(self, attr): | 1697 def __getattr__(self, attr): |
| 1665 ''' no extended attribute accesses make sense here ''' | 1698 ''' no extended attribute accesses make sense here ''' |
| 1666 raise AttributeError, attr | 1699 raise AttributeError, attr |
| 1667 | 1700 |
| 1668 def __getitem__(self, num): | 1701 def __iter__(self): |
| 1669 ''' iterate and return a new HTMLItem | 1702 ''' iterate and return a new HTMLItem |
| 1670 ''' | 1703 ''' |
| 1671 #print 'Multi.getitem', (self, num) | 1704 return MultilinkIterator(self._prop.classname, self._client, |
| 1672 value = self._value[num] | 1705 self._value) |
| 1673 return HTMLItem(self._client, self._prop.classname, value) | 1706 |
| 1707 def reverse(self): | |
| 1708 ''' return the list in reverse order | |
| 1709 ''' | |
| 1710 l = self._value[:] | |
| 1711 l.reverse() | |
| 1712 return MultilinkIterator(self._prop.classname, self._client, l) | |
| 1674 | 1713 |
| 1675 def sorted(self, property): | 1714 def sorted(self, property): |
| 1676 ''' Return this multilink sorted by the given property ''' | 1715 ''' Return this multilink sorted by the given property ''' |
| 1677 value = list(self._value[num]) | 1716 value = list(self.__iter__()) |
| 1678 value.sort(lambda a,b:cmp(a[property], b[property])) | 1717 value.sort(lambda a,b:cmp(a[property], b[property])) |
| 1679 return value | 1718 return value |
| 1680 | 1719 |
| 1681 def __contains__(self, value): | 1720 def __contains__(self, value): |
| 1682 ''' Support the "in" operator. We have to make sure the passed-in | 1721 ''' Support the "in" operator. We have to make sure the passed-in |
| 1685 return str(value) in self._value | 1724 return str(value) in self._value |
| 1686 | 1725 |
| 1687 def isset(self): | 1726 def isset(self): |
| 1688 '''Is my _value not []?''' | 1727 '''Is my _value not []?''' |
| 1689 return self._value != [] | 1728 return self._value != [] |
| 1690 | |
| 1691 def reverse(self): | |
| 1692 ''' return the list in reverse order | |
| 1693 ''' | |
| 1694 l = self._value[:] | |
| 1695 l.reverse() | |
| 1696 return [HTMLItem(self._client, self._prop.classname, value) | |
| 1697 for value in l] | |
| 1698 | 1729 |
| 1699 def plain(self, escape=0): | 1730 def plain(self, escape=0): |
| 1700 ''' Render a "plain" representation of the property | 1731 ''' Render a "plain" representation of the property |
| 1701 ''' | 1732 ''' |
| 1702 if not self.is_view_ok(): | 1733 if not self.is_view_ok(): |
| 2136 if self.search_text: | 2167 if self.search_text: |
| 2137 matches = self.client.db.indexer.search( | 2168 matches = self.client.db.indexer.search( |
| 2138 re.findall(r'\b\w{2,25}\b', self.search_text), klass) | 2169 re.findall(r'\b\w{2,25}\b', self.search_text), klass) |
| 2139 else: | 2170 else: |
| 2140 matches = None | 2171 matches = None |
| 2141 l = klass.filter(matches, filterspec, sort, group) | 2172 |
| 2173 # filter for visibility | |
| 2174 check = self._client.db.security.hasPermission | |
| 2175 userid = self._client.userid | |
| 2176 l = [id for id in klass.filter(matches, filterspec, sort, group) | |
| 2177 if check('View', userid, self.classname, itemid=id)] | |
| 2142 | 2178 |
| 2143 # return the batch object, using IDs only | 2179 # return the batch object, using IDs only |
| 2144 return Batch(self.client, l, self.pagesize, self.startwith, | 2180 return Batch(self.client, l, self.pagesize, self.startwith, |
| 2145 classname=self.classname) | 2181 classname=self.classname) |
| 2146 | 2182 |