Mercurial > p > roundup > code
changeset 3474:235f1cee5cf2 maint-0.8
merge from HEAD
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Fri, 20 Jan 2006 02:13:51 +0000 |
| parents | 8fcee705ebdb |
| children | be5ea4095df7 |
| files | CHANGES.txt doc/index.txt roundup/cgi/actions.py |
| diffstat | 3 files changed, 23 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Fri Jan 13 03:34:34 2006 +0000 +++ b/CHANGES.txt Fri Jan 20 02:13:51 2006 +0000 @@ -13,6 +13,8 @@ - fix Date: header generation to be LOCALE-agnostic (sf bug 1352624) - fix admin doc description of roundup-server config file - fix redirect after instant registration (sf bug 1381676) +- fix permission checks in cgi interface (sf bug 1289557) +- fix permission check on RetireAction (sf bug 1407342) 2005-10-07 0.8.5
--- a/doc/index.txt Fri Jan 13 03:34:34 2006 +0000 +++ b/doc/index.txt Fri Jan 20 02:13:51 2006 +0000 @@ -155,7 +155,8 @@ William (Wilk), Tue Wennerberg, Matt Wilbert, -Chris Withers. +Chris Withers, +Milan Zamazal.
--- a/roundup/cgi/actions.py Fri Jan 13 03:34:34 2006 +0000 +++ b/roundup/cgi/actions.py Fri Jan 20 02:13:51 2006 +0000 @@ -1,4 +1,4 @@ -#$Id: actions.py,v 1.40.2.9 2006-01-13 03:34:34 richard Exp $ +#$Id: actions.py,v 1.40.2.10 2006-01-20 02:13:51 richard Exp $ import re, cgi, StringIO, urllib, Cookie, time, random, csv @@ -124,6 +124,11 @@ self._('%(classname)s %(itemid)s has been retired')%{ 'classname': self.classname.capitalize(), 'itemid': nodeid}) + def hasPermission(self, permission, classname=Action._marker, itemid=None): + if itemid is None: + itemid = self.nodeid + return self.hasPermission(permission, classname, itemid) + class SearchAction(Action): name = 'search' permissionType = 'View' @@ -435,7 +440,7 @@ def _changenode(self, cn, nodeid, props): """Change the node based on the contents of the form.""" # check for permission - if not self.editItemPermission(props): + if not self.editItemPermission(props, classname=cn, itemid=nodeid): raise exceptions.Unauthorised, self._( 'You do not have permission to edit %(class)s' ) % {'class': cn} @@ -447,7 +452,7 @@ def _createnode(self, cn, props): """Create a node based on the contents of the form.""" # check for permission - if not self.newItemPermission(props): + if not self.newItemPermission(props, classname=cn): raise exceptions.Unauthorised, self._( 'You do not have permission to create %(class)s' ) % {'class': cn} @@ -461,7 +466,8 @@ return (self.nodeid == self.userid and self.db.user.get(self.nodeid, 'username') != 'anonymous') - def editItemPermission(self, props): + _cn_marker = [] + def editItemPermission(self, props, classname=_cn_marker, itemid=None): """Determine whether the user has permission to edit this item. Base behaviour is to check the user can edit this class. If we're @@ -475,17 +481,23 @@ "You do not have permission to edit user roles") if self.isEditingSelf(): return 1 - if self.hasPermission('Edit', itemid=self.nodeid): + if itemid is None: + itemid = self.nodeid + if classname is self._cn_marker: + classname = self.classname + if self.hasPermission('Edit', itemid=itemid, classname=classname): return 1 return 0 - def newItemPermission(self, props): + def newItemPermission(self, props, classname=None): """Determine whether the user has permission to create this item. Base behaviour is to check the user can edit this class. No additional property checks are made. """ - return self.hasPermission('Create') + if not classname : + classname = self.client.classname + return self.hasPermission('Create', classname=classname) class EditItemAction(EditCommon): def lastUserActivity(self):