Mercurial > p > roundup > code

comparison roundup/cgi/actions.py @ 4126:e67379669e11

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Make sure user has edit permission on all properties when creating items.
author Stefan Seefeld <stefan@seefeld.name>
date Wed, 17 Jun 2009 01:28:11 +0000
parents 878767b75e1d
children 6609f944fb0c
comparison
equal deleted inserted replaced
4125:d499c3499d18 4126:e67379669e11
537 """Determine whether the user has permission to create this item. 537 """Determine whether the user has permission to create this item.
538 538
539 Base behaviour is to check the user can edit this class. No additional 539 Base behaviour is to check the user can edit this class. No additional
540 property checks are made. 540 property checks are made.
541 """ 541 """
542
542 if not classname : 543 if not classname :
543 classname = self.client.classname 544 classname = self.client.classname
544 return self.hasPermission('Create', classname=classname) 545
546 if not self.hasPermission('Create', classname=classname):
547 return 0
548
549 # Check Edit permission for each property, to avoid being able
550 # to set restricted ones on new item creation
551 for key in props:
552 if not self.hasPermission('Edit', classname=classname,
553 property=key):
554 # We restrict by default and special-case allowed properties
555 if key == 'date' or key == 'content':
556 continue
557 elif key == 'author' and props[key] == self.userid:
558 continue
559 return 0
560 return 1
545 561
546 class EditItemAction(EditCommon): 562 class EditItemAction(EditCommon):
547 def lastUserActivity(self): 563 def lastUserActivity(self):
548 if self.form.has_key(':lastactivity'): 564 if self.form.has_key(':lastactivity'):
549 d = date.Date(self.form[':lastactivity'].value) 565 d = date.Date(self.form[':lastactivity'].value)
Roundup Issue Tracker: http://roundup-tracker.org/