Mercurial > p > roundup > code

comparison roundup/cgi/client.py @ 4326:d51a9c498dc4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix "Web Access" permission check to allow serving of static files to Anonymous again
author Richard Jones <richard@users.sourceforge.net>
date Fri, 29 Jan 2010 05:03:48 +0000
parents b1772fdb09d0
children 095d92109cc7
comparison
equal deleted inserted replaced
4325:6ec048310de7 4326:d51a9c498dc4
378 # Roundup may depend upon that. 378 # Roundup may depend upon that.
379 self.determine_charset() 379 self.determine_charset()
380 self.determine_language() 380 self.determine_language()
381 # Open the database as the correct user. 381 # Open the database as the correct user.
382 self.determine_user() 382 self.determine_user()
383 self.check_web_access()
383 384
384 # Call the appropriate XML-RPC method. 385 # Call the appropriate XML-RPC method.
385 handler = xmlrpc.RoundupDispatcher(self.db, 386 handler = xmlrpc.RoundupDispatcher(self.db,
386 self.instance.actions, 387 self.instance.actions,
387 self.translator, 388 self.translator,
434 # make sure we're identified (even anonymously) 435 # make sure we're identified (even anonymously)
435 self.determine_user() 436 self.determine_user()
436 437
437 # figure out the context and desired content template 438 # figure out the context and desired content template
438 self.determine_context() 439 self.determine_context()
440
441 # if we've made it this far the context is to a bit of
442 # Roundup's real web interface (not a file being served up)
443 # so do the Anonymous Web Acess check now
444 self.check_web_access()
439 445
440 # possibly handle a form submit action (may change self.classname 446 # possibly handle a form submit action (may change self.classname
441 # and self.template, and may also append error/ok_messages) 447 # and self.template, and may also append error/ok_messages)
442 html = self.handle_action() 448 html = self.handle_action()
443 449
709 user = 'anonymous' 715 user = 'anonymous'
710 716
711 # make sure the anonymous user is valid if we're using it 717 # make sure the anonymous user is valid if we're using it
712 if user == 'anonymous': 718 if user == 'anonymous':
713 self.make_user_anonymous() 719 self.make_user_anonymous()
720 else:
721 self.user = user
722
723 # reopen the database as the correct user
724 self.opendb(self.user)
725
726 def check_web_access(self):
727 """Check that the Anonymous user is actually allowed to use the web
728 interface and short-circuit all further processing if they're not.
729 """
730 if self.user == 'anonymous':
714 if not self.db.security.hasPermission('Web Access', self.userid): 731 if not self.db.security.hasPermission('Web Access', self.userid):
715 raise Unauthorised, self._("Anonymous users are not " 732 raise Unauthorised, self._("Anonymous users are not "
716 "allowed to use the web interface") 733 "allowed to use the web interface")
717 else:
718 self.user = user
719
720 # reopen the database as the correct user
721 self.opendb(self.user)
722 734
723 def opendb(self, username): 735 def opendb(self, username):
724 """Open the database and set the current user. 736 """Open the database and set the current user.
725 737
726 Opens a database once. On subsequent calls only the user is set on 738 Opens a database once. On subsequent calls only the user is set on
863 klass = self.db.getclass(classname) 875 klass = self.db.getclass(classname)
864 except KeyError: 876 except KeyError:
865 # The classname was not valid. 877 # The classname was not valid.
866 raise NotFound, str(designator) 878 raise NotFound, str(designator)
867 879
880 # perform the Anonymous user access check
881 self.check_web_access()
868 882
869 # make sure we have the appropriate properties 883 # make sure we have the appropriate properties
870 props = klass.getprops() 884 props = klass.getprops()
871 if not props.has_key('type'): 885 if not props.has_key('type'):
872 raise NotFound, designator 886 raise NotFound, designator
Roundup Issue Tracker: http://roundup-tracker.org/