Mercurial > p > roundup > code
comparison roundup/cgi/actions.py @ 4030:b140d76c1cc8
fix issue2550502
| author | Stefan Seefeld <stefan@seefeld.name> |
|---|---|
| date | Thu, 12 Feb 2009 05:05:12 +0000 |
| parents | 0112e9e1d068 |
| children | 0b89c94a2387 |
comparison
equal
deleted
inserted
replaced
| 4027:39ad32d47cfb | 4030:b140d76c1cc8 |
|---|---|
| 57 raise exceptions.Unauthorised, self._( | 57 raise exceptions.Unauthorised, self._( |
| 58 'You do not have permission to ' | 58 'You do not have permission to ' |
| 59 '%(action)s the %(classname)s class.')%info | 59 '%(action)s the %(classname)s class.')%info |
| 60 | 60 |
| 61 _marker = [] | 61 _marker = [] |
| 62 def hasPermission(self, permission, classname=_marker, itemid=None): | 62 def hasPermission(self, permission, classname=_marker, itemid=None, property=None): |
| 63 """Check whether the user has 'permission' on the current class.""" | 63 """Check whether the user has 'permission' on the current class.""" |
| 64 if classname is self._marker: | 64 if classname is self._marker: |
| 65 classname = self.client.classname | 65 classname = self.client.classname |
| 66 return self.db.security.hasPermission(permission, self.client.userid, | 66 return self.db.security.hasPermission(permission, self.client.userid, |
| 67 classname=classname, itemid=itemid) | 67 classname=classname, itemid=itemid, property=property) |
| 68 | 68 |
| 69 def gettext(self, msgid): | 69 def gettext(self, msgid): |
| 70 """Return the localized translation of msgid""" | 70 """Return the localized translation of msgid""" |
| 71 return self.client.translator.gettext(msgid) | 71 return self.client.translator.gettext(msgid) |
| 72 | 72 |
| 484 return (self.nodeid == self.userid | 484 return (self.nodeid == self.userid |
| 485 and self.db.user.get(self.nodeid, 'username') != 'anonymous') | 485 and self.db.user.get(self.nodeid, 'username') != 'anonymous') |
| 486 | 486 |
| 487 _cn_marker = [] | 487 _cn_marker = [] |
| 488 def editItemPermission(self, props, classname=_cn_marker, itemid=None): | 488 def editItemPermission(self, props, classname=_cn_marker, itemid=None): |
| 489 """Determine whether the user has permission to edit this item. | 489 """Determine whether the user has permission to edit this item.""" |
| 490 | |
| 491 Base behaviour is to check the user can edit this class. If we're | |
| 492 editing the "user" class, users are allowed to edit their own details. | |
| 493 Unless it's the "roles" property, which requires the special Permission | |
| 494 "Web Roles". | |
| 495 """ | |
| 496 if self.classname == 'user': | |
| 497 if props.has_key('roles') and not self.hasPermission('Web Roles'): | |
| 498 raise exceptions.Unauthorised, self._( | |
| 499 "You do not have permission to edit user roles") | |
| 500 if self.isEditingSelf(): | |
| 501 return 1 | |
| 502 if itemid is None: | 490 if itemid is None: |
| 503 itemid = self.nodeid | 491 itemid = self.nodeid |
| 504 if classname is self._cn_marker: | 492 if classname is self._cn_marker: |
| 505 classname = self.classname | 493 classname = self.classname |
| 506 if self.hasPermission('Edit', itemid=itemid, classname=classname): | 494 # The user must have permission to edit each of the properties |
| 507 return 1 | 495 # being changed. |
| 508 return 0 | 496 for p in props: |
| 497 if not self.hasPermission('Edit', | |
| 498 itemid=itemid, | |
| 499 classname=classname, | |
| 500 property=p): | |
| 501 return 0 | |
| 502 # Since the user has permission to edit all of the properties, | |
| 503 # the edit is OK. | |
| 504 return 1 | |
| 509 | 505 |
| 510 def newItemPermission(self, props, classname=None): | 506 def newItemPermission(self, props, classname=None): |
| 511 """Determine whether the user has permission to create this item. | 507 """Determine whether the user has permission to create this item. |
| 512 | 508 |
| 513 Base behaviour is to check the user can edit this class. No additional | 509 Base behaviour is to check the user can edit this class. No additional |