Mercurial > p > roundup > code
diff roundup/cgi/templating.py @ 4328:3d224f7fb364
add web access check all over templating
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Fri, 29 Jan 2010 05:29:49 +0000 |
| parents | 966592263fb8 |
| children | 58b7ba47af87 |
line wrap: on
line diff
--- a/roundup/cgi/templating.py Fri Jan 29 05:12:46 2010 +0000 +++ b/roundup/cgi/templating.py Fri Jan 29 05:29:49 2010 +0000 @@ -520,20 +520,23 @@ def is_edit_ok(self): """ Is the user allowed to Create the current class? """ - return self._db.security.hasPermission('Create', self._client.userid, - self._classname) + perm = self._db.security.hasPermission + return perm('Web Access', self._client.userid) and perm('Create', + self._client.userid, self._classname) def is_retire_ok(self): """ Is the user allowed to retire items of the current class? """ - return self._db.security.hasPermission('Retire', self._client.userid, - self._classname) + perm = self._db.security.hasPermission + return perm('Web Access', self._client.userid) and perm('Retire', + self._client.userid, self._classname) def is_view_ok(self): """ Is the user allowed to View the current class? """ - return self._db.security.hasPermission('View', self._client.userid, - self._classname) + perm = self._db.security.hasPermission + return perm('Web Access', self._client.userid) and perm('View', + self._client.userid, self._classname) def is_only_view_ok(self): """ Is the user only allowed to View (ie. not Create) the current class? @@ -620,6 +623,8 @@ # check perms check = self._client.db.security.hasPermission userid = self._client.userid + if not check('Web Access', userid): + return [] l = [HTMLItem(self._client, self._classname, id) for id in l if check('View', userid, self._classname, itemid=id)] @@ -634,11 +639,14 @@ writer = csv.writer(s) writer.writerow(props) check = self._client.db.security.hasPermission + userid = self._client.userid + if not check('Web Access', userid): + return '' for nodeid in self._klass.list(): l = [] for name in props: # check permission to view this property on this item - if not check('View', self._client.userid, itemid=nodeid, + if not check('View', userid, itemid=nodeid, classname=self._klass.classname, property=name): raise Unauthorised('view', self._klass.classname, translator=self._client.translator) @@ -672,6 +680,8 @@ check = self._db.security.hasPermission userid = self._client.userid + if not check('Web Access', userid): + return [] l = [HTMLItem(self._client, self.classname, id) for id in self._klass.filter(None, filterspec, sort, group) @@ -801,20 +811,23 @@ def is_edit_ok(self): """ Is the user allowed to Edit this item? """ - return self._db.security.hasPermission('Edit', self._client.userid, - self._classname, itemid=self._nodeid) + perm = self._db.security.hasPermission + return perm('Web Access', self._client.userid) and perm('Edit', + self._client.userid, self._classname, itemid=self._nodeid) def is_retire_ok(self): """ Is the user allowed to Reture this item? """ - return self._db.security.hasPermission('Retire', self._client.userid, - self._classname, itemid=self._nodeid) + perm = self._db.security.hasPermission + return perm('Web Access', self._client.userid) and perm('Retire', + self._client.userid, self._classname, itemid=self._nodeid) def is_view_ok(self): """ Is the user allowed to View this item? """ - if self._db.security.hasPermission('View', self._client.userid, - self._classname, itemid=self._nodeid): + perm = self._db.security.hasPermission + if perm('Web Access', self._client.userid) and perm('View', + self._client.userid, self._classname, itemid=self._nodeid): return 1 return self.is_edit_ok() @@ -1289,19 +1302,22 @@ property. Check "Create" for new items, or "Edit" for existing ones. """ + perm = self._db.security.hasPermission + userid = self._client.userid + if not perm('Web Access', userid): + return False if self._nodeid: - return self._db.security.hasPermission('Edit', self._client.userid, - self._classname, self._name, self._nodeid) - return self._db.security.hasPermission('Create', self._client.userid, - self._classname, self._name) or \ - self._db.security.hasPermission('Register', self._client.userid, - self._classname, self._name) + return perm('Edit', userid, self._classname, self._name, + self._nodeid) + return perm('Create', userid, self._classname, self._name) or \ + perm('Register', userid, self._classname, self._name) def is_view_ok(self): """ Is the user allowed to View the current class? """ - if self._db.security.hasPermission('View', self._client.userid, - self._classname, self._name, self._nodeid): + perm = self._db.security.hasPermission + if perm('Web Access', self._client.userid) and perm('View', + self._client.userid, self._classname, self._name, self._nodeid): return 1 return self.is_edit_ok() @@ -2071,9 +2087,10 @@ check = self._db.security.hasPermission userid = self._client.userid classname = self._prop.classname - for value in values: - if check('View', userid, classname, itemid=value): - yield HTMLItem(self._client, classname, value) + if check('Web Access', userid): + for value in values: + if check('View', userid, classname, itemid=value): + yield HTMLItem(self._client, classname, value) def __iter__(self): """ iterate and return a new HTMLItem @@ -2649,6 +2666,12 @@ def batch(self): """ Return a batch object for results from the "current search" """ + check = self._client.db.security.hasPermission + userid = self._client.userid + if not check('Web Access', userid): + return Batch(self.client, [], self.pagesize, self.startwith, + classname=self.classname) + filterspec = self.filterspec sort = self.sort group = self.group @@ -2665,8 +2688,6 @@ matches = None # filter for visibility - check = self._client.db.security.hasPermission - userid = self._client.userid l = [id for id in klass.filter(matches, filterspec, sort, group) if check('View', userid, self.classname, itemid=id)]