# HG changeset patch
# User Stefan Seefeld <stefan@seefeld.name>
# Date 1245204127 0
# Node ID 4ce043e9d43a93c1c12e3db2a8cfb0585828ceca
# Parent  10224418f88c000ba184d7f777ac7d1d349dff6b
Merge from trunk.

diff -r 10224418f88c -r 4ce043e9d43a roundup/actions.py
--- a/roundup/actions.py	Sat Jun 13 02:12:55 2009 +0000
+++ b/roundup/actions.py	Wed Jun 17 02:02:07 2009 +0000
@@ -64,5 +64,5 @@
         if not self.db.security.hasPermission('Edit', self.db.getuid(),
                                               classname=classname, itemid=itemid):
             raise Unauthorised(self._('You do not have permission to '
-                                      '%(action)s the %(classname)s class.')%info)
+                                      'retire the %(classname)s class.')%classname)
             
diff -r 10224418f88c -r 4ce043e9d43a roundup/cgi/actions.py
--- a/roundup/cgi/actions.py	Sat Jun 13 02:12:55 2009 +0000
+++ b/roundup/cgi/actions.py	Wed Jun 17 02:02:07 2009 +0000
@@ -539,9 +539,25 @@
         Base behaviour is to check the user can edit this class. No additional
         property checks are made.
         """
+
         if not classname :
             classname = self.client.classname
-        return self.hasPermission('Create', classname=classname)
+        
+        if not self.hasPermission('Create', classname=classname):
+            return 0
+
+        # Check Edit permission for each property, to avoid being able
+        # to set restricted ones on new item creation
+        for key in props:
+            if not self.hasPermission('Edit', classname=classname,
+                                      property=key):
+                # We restrict by default and special-case allowed properties
+                if key == 'date' or key == 'content':
+                    continue
+                elif key == 'author' and props[key] == self.userid:
+                    continue
+                return 0
+        return 1
 
 class EditItemAction(EditCommon):
     def lastUserActivity(self):
@@ -643,11 +659,6 @@
                 % str(message))
             return
 
-        # guard against new user creation that would bypass security checks
-        for key in props:
-            if 'user' in key:
-                return
-
         # handle the props - edit or create
         try:
             # when it hits the None element, it'll set self.nodeid
diff -r 10224418f88c -r 4ce043e9d43a roundup/xmlrpc.py
--- a/roundup/xmlrpc.py	Sat Jun 13 02:12:55 2009 +0000
+++ b/roundup/xmlrpc.py	Wed Jun 17 02:02:07 2009 +0000
@@ -90,6 +90,7 @@
         return dict(result)
 
     def create(self, classname, *args):
+        
         if not self.db.security.hasPermission('Create', self.db.getuid(), classname):
             raise Unauthorised('Permission to create %s denied'%classname)
 
@@ -103,6 +104,11 @@
         if key and not props.has_key(key):
             raise UsageError, 'you must provide the "%s" property.'%key
 
+        for key in props:
+            if not self.db.security.hasPermission('Edit', self.db.getuid(), classname,
+                                                  property=key):
+                raise Unauthorised('Permission to create %s denied'%classname)
+
         # do the actual create
         try:
             result = cl.create(**props)
@@ -129,7 +135,7 @@
     builtin_actions = {'retire': actions.Retire}
 
     def action(self, name, *args):
-        """"""
+        """Execute a named action."""
         
         if name in self.actions:
             action_type = self.actions[name]