# HG changeset patch # User Richard Jones # Date 1076458940 0 # Node ID b046b65e51dbef000addf47e794e63ffa4ccd1de # Parent 1e96ed79f0c382a42b36a74a7f1d975f8ff88ece if you're going to enforce class-level permissions... ...then enforce them at the class level diff -r 1e96ed79f0c3 -r b046b65e51db roundup/cgi/templating.py --- a/roundup/cgi/templating.py Wed Feb 11 00:21:46 2004 +0000 +++ b/roundup/cgi/templating.py Wed Feb 11 00:22:20 2004 +0000 @@ -874,7 +874,7 @@ ''' Is the user allowed to View the current class? Also check whether this is the current user's info. ''' - return self._db.security.hasPermission('Edit', self._client.userid, + return self._db.security.hasPermission('View', self._client.userid, self._classname) or (self._nodeid == self._client.userid and self._db.user.get(self._client.userid, 'username') != 'anonymous') @@ -915,6 +915,26 @@ return cmp(self._value, other._value) return cmp(self._value, other) + def is_edit_ok(self): + ''' Is the user allowed to Edit the current class? + ''' + thing = HTMLDatabase(self._client)[self._classname] + if self._nodeid: + # this is a special-case for the User class where permission's + # on a per-item basis :( + thing = thing.getItem(self._nodeid) + return thing.is_edit_ok() + + def is_view_ok(self): + ''' Is the user allowed to View the current class? + ''' + thing = HTMLDatabase(self._client)[self._classname] + if self._nodeid: + # this is a special-case for the User class where permission's + # on a per-item basis :( + thing = thing.getItem(self._nodeid) + return thing.is_view_ok() + class StringHTMLProperty(HTMLProperty): hyper_re = re.compile(r'((?P\w{3,6}://\S+)|' r'(?P[-+=%/\w\.]+@[\w\.\-]+)|'