Mercurial > p > roundup > code
comparison roundup/cgi/templating.py @ 2002:b046b65e51db
if you're going to enforce class-level permissions...
...then enforce them at the class level
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Wed, 11 Feb 2004 00:22:20 +0000 |
| parents | 75437090134e |
| children | fc52d57c6c3e |
comparison
equal
deleted
inserted
replaced
| 2001:1e96ed79f0c3 | 2002:b046b65e51db |
|---|---|
| 872 | 872 |
| 873 def is_view_ok(self): | 873 def is_view_ok(self): |
| 874 ''' Is the user allowed to View the current class? | 874 ''' Is the user allowed to View the current class? |
| 875 Also check whether this is the current user's info. | 875 Also check whether this is the current user's info. |
| 876 ''' | 876 ''' |
| 877 return self._db.security.hasPermission('Edit', self._client.userid, | 877 return self._db.security.hasPermission('View', self._client.userid, |
| 878 self._classname) or (self._nodeid == self._client.userid and | 878 self._classname) or (self._nodeid == self._client.userid and |
| 879 self._db.user.get(self._client.userid, 'username') != 'anonymous') | 879 self._db.user.get(self._client.userid, 'username') != 'anonymous') |
| 880 | 880 |
| 881 class HTMLProperty(HTMLInputMixin, HTMLPermissions): | 881 class HTMLProperty(HTMLInputMixin, HTMLPermissions): |
| 882 ''' String, Number, Date, Interval HTMLProperty | 882 ''' String, Number, Date, Interval HTMLProperty |
| 912 return self.plain() | 912 return self.plain() |
| 913 def __cmp__(self, other): | 913 def __cmp__(self, other): |
| 914 if isinstance(other, HTMLProperty): | 914 if isinstance(other, HTMLProperty): |
| 915 return cmp(self._value, other._value) | 915 return cmp(self._value, other._value) |
| 916 return cmp(self._value, other) | 916 return cmp(self._value, other) |
| 917 | |
| 918 def is_edit_ok(self): | |
| 919 ''' Is the user allowed to Edit the current class? | |
| 920 ''' | |
| 921 thing = HTMLDatabase(self._client)[self._classname] | |
| 922 if self._nodeid: | |
| 923 # this is a special-case for the User class where permission's | |
| 924 # on a per-item basis :( | |
| 925 thing = thing.getItem(self._nodeid) | |
| 926 return thing.is_edit_ok() | |
| 927 | |
| 928 def is_view_ok(self): | |
| 929 ''' Is the user allowed to View the current class? | |
| 930 ''' | |
| 931 thing = HTMLDatabase(self._client)[self._classname] | |
| 932 if self._nodeid: | |
| 933 # this is a special-case for the User class where permission's | |
| 934 # on a per-item basis :( | |
| 935 thing = thing.getItem(self._nodeid) | |
| 936 return thing.is_view_ok() | |
| 917 | 937 |
| 918 class StringHTMLProperty(HTMLProperty): | 938 class StringHTMLProperty(HTMLProperty): |
| 919 hyper_re = re.compile(r'((?P<url>\w{3,6}://\S+)|' | 939 hyper_re = re.compile(r'((?P<url>\w{3,6}://\S+)|' |
| 920 r'(?P<email>[-+=%/\w\.]+@[\w\.\-]+)|' | 940 r'(?P<email>[-+=%/\w\.]+@[\w\.\-]+)|' |
| 921 r'(?P<item>(?P<class>[a-z_]+)(?P<id>\d+)))') | 941 r'(?P<item>(?P<class>[a-z_]+)(?P<id>\d+)))') |