Mercurial > p > roundup > code

diff roundup/rest.py @ 5618:1ad3881fc683

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
The access check on properties for an instance of a class (e.g. .../user/1) was not correct. As a result the access rights on the class not the access right to an instance of a class were checked. This fixes the code so the instance rights are checked the same as calling: .../user/1/roles would.
author John Rouillard <rouilj@ieee.org>
date Sat, 16 Feb 2019 15:37:14 -0500
parents 38b7c4693d9a
children 1c9208fa9127
line wrap: on
line diff
--- a/roundup/rest.py	Sat Feb 16 15:29:18 2019 -0500
+++ b/roundup/rest.py	Sat Feb 16 15:37:14 2019 -0500
@@ -494,7 +494,7 @@
                 for prop_name in props
                 if self.db.security.hasPermission(
                     'View', self.db.getuid(), class_name, prop_name,
-                )
+                        item_id )
             ]
         except KeyError as msg:
             raise UsageError("%s field not valid" % msg)
Roundup Issue Tracker: http://roundup-tracker.org/