Mercurial > p > roundup > code
comparison roundup/xmlrpc.py @ 4670:c9b85ca1f985
Fix xmlrpc permissions for lookup method.
Allow if the key attribute is either searchable or viewable, don't check
id attribute.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Wed, 17 Oct 2012 15:32:41 +0200 |
| parents | 3f251efd5f48 |
| children | d9e5539303bd |
comparison
equal
deleted
inserted
replaced
| 4669:d7ac6c7bc371 | 4670:c9b85ca1f985 |
|---|---|
| 101 | 101 |
| 102 def lookup(self, classname, key): | 102 def lookup(self, classname, key): |
| 103 cl = self.db.getclass(classname) | 103 cl = self.db.getclass(classname) |
| 104 uid = self.db.getuid() | 104 uid = self.db.getuid() |
| 105 prop = cl.getkey() | 105 prop = cl.getkey() |
| 106 check = self.db.security.hasSearchPermission | 106 search = self.db.security.hasSearchPermission |
| 107 if not check(uid, classname, 'id') or not check(uid, classname, prop): | 107 access = self.db.security.hasPermission |
| 108 raise Unauthorised('Permission to search %s denied'%classname) | 108 if (not search(uid, classname, prop) |
| 109 and not access('View', uid, classname, prop)): | |
| 110 raise Unauthorised('Permission to lookup %s denied'%classname) | |
| 109 return cl.lookup(key) | 111 return cl.lookup(key) |
| 110 | 112 |
| 111 def display(self, designator, *properties): | 113 def display(self, designator, *properties): |
| 112 classname, itemid = hyperdb.splitDesignator(designator) | 114 classname, itemid = hyperdb.splitDesignator(designator) |
| 113 cl = self.db.getclass(classname) | 115 cl = self.db.getclass(classname) |