Mercurial > p > roundup > code
comparison roundup/xmlrpc.py @ 8126:f7bd22bdef9d permission-performance
Move permission check code to hyperdb
Now the hyperdb has a method filter_with_permissions that performs the
permission checks before (for filtering on sort/group/filterspec
arguments) and after a call to hyperdb.filter.
This also fixes possible problems on the unfiltered
sort/group/filterspec arguments in roundup/rest.py and
roundup/cgi/templating.py
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Mon, 21 Oct 2024 18:12:03 +0200 |
| parents | af1067e0f6d9 |
| children |
comparison
equal
deleted
inserted
replaced
| 8125:b358da7c89e5 | 8126:f7bd22bdef9d |
|---|---|
| 92 return result | 92 return result |
| 93 | 93 |
| 94 def filter(self, classname, search_matches, filterspec, | 94 def filter(self, classname, search_matches, filterspec, |
| 95 sort=[], group=[]): | 95 sort=[], group=[]): |
| 96 cl = self.db.getclass(classname) | 96 cl = self.db.getclass(classname) |
| 97 uid = self.db.getuid() | 97 return cl.filter_with_permissions( |
| 98 security = self.db.security | 98 search_matches, filterspec, sort=sort, group=group |
| 99 filterspec = security.filterFilterspec(uid, classname, filterspec) | 99 ) |
| 100 sort = security.filterSortspec(uid, classname, sort) | |
| 101 group = security.filterSortspec(uid, classname, group) | |
| 102 result = cl.filter(search_matches, filterspec, sort=sort, group=group) | |
| 103 check = security.hasPermission | |
| 104 x = [id for id in result if check('View', uid, classname, itemid=id)] | |
| 105 return x | |
| 106 | 100 |
| 107 def lookup(self, classname, key): | 101 def lookup(self, classname, key): |
| 108 cl = self.db.getclass(classname) | 102 cl = self.db.getclass(classname) |
| 109 uid = self.db.getuid() | 103 uid = self.db.getuid() |
| 110 prop = cl.getkey() | 104 prop = cl.getkey() |