Mercurial > p > roundup > code
diff roundup/cgi/templating.py @ 3126:a2889d22db4a
the cgi templating code now checks item-level
permissions (per alex's suggestion).
The templates themselves do not have row-level checks now.
Cleaned up the msg and file index templates to use batching.
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Fri, 04 Feb 2005 05:25:50 +0000 |
| parents | 460eb0209a9e |
| children | 021b131bd816 |
line wrap: on
line diff
--- a/roundup/cgi/templating.py Fri Jan 28 05:09:44 2005 +0000 +++ b/roundup/cgi/templating.py Fri Feb 04 05:25:50 2005 +0000 @@ -558,10 +558,16 @@ ''' # get the list and sort it nicely l = self._klass.list() - sortfunc = make_sort_function(self._db, self.classname, sort_on) + sortfunc = make_sort_function(self._db, self._classname, sort_on) l.sort(sortfunc) - l = [HTMLItem(self._client, self.classname, x) for x in l] + # check perms + check = self._client.db.security.hasPermission + userid = self._client.userid + + l = [HTMLItem(self._client, self._classname, id) for id in l + if check('View', userid, self._classname, itemid=id)] + return l def csv(self): @@ -605,8 +611,13 @@ filterspec = request.filterspec sort = request.sort group = request.group + + check = self._db.security.hasPermission + userid = self._client.userid + l = [HTMLItem(self._client, self.classname, x) - for x in self._klass.filter(None, filterspec, sort, group)] + for id in self._klass.filter(None, filterspec, sort, group) + if check('View', userid, self.classname, itemid=id)] return l def classhelp(self, properties=None, label=''"(list)", width='500', @@ -1643,6 +1654,28 @@ return '\n'.join(l) # def checklist(self, ...) +class MultilinkIterator: + def __init__(self, classname, client, values): + self.classname = classname + self.client = client + self.values = values + self.id = -1 + self.cl = self.client.db.getclass(self.classname) + def next(self): + '''Return the next item, but skip inaccessible items.''' + check = self.client.db.security.hasPermission + userid = self.client.userid + while 1: + self.id += 1 + if self.id >= len(self.values): + raise StopIteration + value = self.values[self.id] + if check('View', userid, self.classname, itemid=value): + return HTMLItem(self.client, self.classname, value) + def __iter__(self): + return self + + class MultilinkHTMLProperty(HTMLProperty): ''' Multilink HTMLProperty @@ -1665,16 +1698,22 @@ ''' no extended attribute accesses make sense here ''' raise AttributeError, attr - def __getitem__(self, num): + def __iter__(self): ''' iterate and return a new HTMLItem ''' - #print 'Multi.getitem', (self, num) - value = self._value[num] - return HTMLItem(self._client, self._prop.classname, value) + return MultilinkIterator(self._prop.classname, self._client, + self._value) + + def reverse(self): + ''' return the list in reverse order + ''' + l = self._value[:] + l.reverse() + return MultilinkIterator(self._prop.classname, self._client, l) def sorted(self, property): ''' Return this multilink sorted by the given property ''' - value = list(self._value[num]) + value = list(self.__iter__()) value.sort(lambda a,b:cmp(a[property], b[property])) return value @@ -1688,14 +1727,6 @@ '''Is my _value not []?''' return self._value != [] - def reverse(self): - ''' return the list in reverse order - ''' - l = self._value[:] - l.reverse() - return [HTMLItem(self._client, self._prop.classname, value) - for value in l] - def plain(self, escape=0): ''' Render a "plain" representation of the property ''' @@ -2138,7 +2169,12 @@ re.findall(r'\b\w{2,25}\b', self.search_text), klass) else: matches = None - l = klass.filter(matches, filterspec, sort, group) + + # filter for visibility + check = self._client.db.security.hasPermission + userid = self._client.userid + l = [id for id in klass.filter(matches, filterspec, sort, group) + if check('View', userid, self.classname, itemid=id)] # return the batch object, using IDs only return Batch(self.client, l, self.pagesize, self.startwith,