Mercurial > p > roundup > code

--- a/roundup/rest.py	Mon Feb 10 21:58:40 2020 +0000
+++ b/roundup/rest.py	Wed Feb 12 12:35:33 2020 +0100
@@ -696,6 +696,10 @@
                         uid, class_name, pn
                     ):
                         sort.append((ss, pn))
+                    else :
+                        raise (Unauthorised (
+                            'User does not have search permission on "%s.%s"'
+                            % (class_name, pn)))
             elif key.startswith("@"):
                 # ignore any unsupported/previously handled control key
                 # like @apiver
@@ -721,7 +725,9 @@
                 if not self.db.security.hasSearchPermission(
                     uid, class_name, key
                 ):
-                    continue
+                    raise (Unauthorised (
+                        'User does not have search permission on "%s.%s"'
+                        % (class_name, key)))

                 linkcls = class_obj
                 for p in key.split('.'):
author	Ralf Schlatterbeck <rsc@runtux.com>
date	Wed, 12 Feb 2020 12:35:33 +0100
parents	d56e290ecab7
children	f564e5152134 00a24243887c