Mercurial > p > roundup > code

diff roundup/cgi/actions.py @ 3468:6f3b30925975

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix permission checks in cgi interface [SF#1289557]
author Richard Jones <richard@users.sourceforge.net>
date Fri, 13 Jan 2006 03:50:03 +0000
parents 0ecd0062abfb
children d3b02352484f
line wrap: on
line diff
--- a/roundup/cgi/actions.py	Fri Jan 13 03:33:29 2006 +0000
+++ b/roundup/cgi/actions.py	Fri Jan 13 03:50:03 2006 +0000
@@ -1,4 +1,4 @@
-#$Id: actions.py,v 1.50 2006-01-13 03:33:29 richard Exp $
+#$Id: actions.py,v 1.51 2006-01-13 03:50:03 richard Exp $
 
 import re, cgi, StringIO, urllib, Cookie, time, random, csv
 
@@ -435,7 +435,7 @@
     def _changenode(self, cn, nodeid, props):
         """Change the node based on the contents of the form."""
         # check for permission
-        if not self.editItemPermission(props):
+        if not self.editItemPermission(props, classname=cn, itemid=nodeid):
             raise exceptions.Unauthorised, self._(
                 'You do not have permission to edit %(class)s'
             ) % {'class': cn}
@@ -447,7 +447,7 @@
     def _createnode(self, cn, props):
         """Create a node based on the contents of the form."""
         # check for permission
-        if not self.newItemPermission(props):
+        if not self.newItemPermission(props, classname=cn):
             raise exceptions.Unauthorised, self._(
                 'You do not have permission to create %(class)s'
             ) % {'class': cn}
@@ -461,7 +461,8 @@
         return (self.nodeid == self.userid
                 and self.db.user.get(self.nodeid, 'username') != 'anonymous')
 
-    def editItemPermission(self, props):
+    _cn_marker = []
+    def editItemPermission(self, props, classname=_cn_marker, itemid=None):
         """Determine whether the user has permission to edit this item.
 
         Base behaviour is to check the user can edit this class. If we're
@@ -475,17 +476,23 @@
                     "You do not have permission to edit user roles")
             if self.isEditingSelf():
                 return 1
-        if self.hasPermission('Edit', itemid=self.nodeid):
+        if itemid is None:
+            itemid = self.nodeid
+        if classname is self._cn_marker:
+            classname = self.classname
+        if self.hasPermission('Edit', itemid=itemid, classname=classname):
             return 1
         return 0
 
-    def newItemPermission(self, props):
+    def newItemPermission(self, props, classname=None):
         """Determine whether the user has permission to create this item.
 
         Base behaviour is to check the user can edit this class. No additional
         property checks are made.
         """
-        return self.hasPermission('Create')
+        if not classname :
+            classname = self.client.classname
+        return self.hasPermission('Create', classname=classname)
 
 class EditItemAction(EditCommon):
     def lastUserActivity(self):
Roundup Issue Tracker: http://roundup-tracker.org/