Mercurial > p > roundup > code

changeset 3042:24e31de4f3a1 maint-0.8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge from HEAD
author Richard Jones <richard@users.sourceforge.net>
date Tue, 04 Jan 2005 00:55:37 +0000
parents 70c9954f619f
children f859d9393bf0
files CHANGES.txt doc/announcement.txt roundup/cgi/templating.py templates/classic/schema.py templates/minimal/schema.py
diffstat 5 files changed, 48 insertions(+), 79 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES.txt	Mon Jan 03 23:07:03 2005 +0000
+++ b/CHANGES.txt	Tue Jan 04 00:55:37 2005 +0000
@@ -11,6 +11,7 @@
 - 'roundup-server -S' always writes [trackers] section heading (sf bug 1088878)
 - fix port number as int in mysql connection info (sf bug 1082530)
 - fix setup.py to work with <Python2.3 (sf bug 1082801)
+- fix permissions checks in cgi templating (sf bug 1082755)
 
 
 2004-12-08 0.8.0b1
--- a/doc/announcement.txt	Mon Jan 03 23:07:03 2005 +0000
+++ b/doc/announcement.txt	Tue Jan 04 00:55:37 2005 +0000
@@ -9,21 +9,8 @@
 
   http://roundup.sourceforge.net/doc-0.8/whatsnew-0.8.html
 
-Some highlights:
+This is a bugfix release, fixing:
 
-* i18n of the user interface (not just web),
-* a re-working of the tracker home configuration to make it much cleaner,
-* many speed optimisations,
-* integration of the python logging module,
-* optional configuration of roundup-server through a configuration file,
-* creation of items check the new Create Permission rather than Edit now,
-* Permissions may be defined on a per-property basis,
-* Permissions may include a fragment of code to run to check,
-* optional HTTP Basic auth built in (Apache not required),
-* optional HTTP charset selection,
-* added mod_python interface,
-* optional instant web registration (rather than email confirmation), and
-* 30 or so other little feature additions... 
 
 If you're upgrading from an older version of Roundup you *must* follow
 the "Software Upgrade" guidelines given in the maintenance documentation.
--- a/roundup/cgi/templating.py	Mon Jan 03 23:07:03 2005 +0000
+++ b/roundup/cgi/templating.py	Tue Jan 04 00:55:37 2005 +0000
@@ -645,8 +645,12 @@
 
     def submit(self, label=''"Submit New Entry"):
         ''' Generate a submit button (and action hidden element)
+
+        Generate nothing if we're not editable.
         '''
-        self.edit_check()
+        if not self.is_edit_ok():
+            return ''
+
         return self.input(type="hidden", name="@action", value="new") + \
             '\n' + \
             self.input(type="submit", name="submit", value=self._(label))
@@ -1171,37 +1175,33 @@
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
+        if not self.is_edit_ok():
+            return self.plain()
 
         if self._value is None:
             value = ''
         else:
             value = cgi.escape(str(self._value))
 
-        if self.is_edit_ok():
-            value = '&quot;'.join(value.split('"'))
-            return self.input(name=self._formname,value=value,size=size)
-
-        return self.plain()
+        value = '&quot;'.join(value.split('"'))
+        return self.input(name=self._formname,value=value,size=size)
 
     def multiline(self, escape=0, rows=5, cols=40):
         ''' Render a multiline form edit field for the property.
 
             If not editable, just display the plain() value in a <pre> tag.
         '''
-        self.edit_check()
+        if not self.is_edit_ok():
+            return '<pre>%s</pre>'%self.plain()
 
         if self._value is None:
             value = ''
         else:
             value = cgi.escape(str(self._value))
 
-        if self.is_edit_ok():
-            value = '&quot;'.join(value.split('"'))
-            return '<textarea name="%s" rows="%s" cols="%s">%s</textarea>'%(
-                self._formname, rows, cols, value)
-
-        return '<pre>%s</pre>'%self.plain()
+        value = '&quot;'.join(value.split('"'))
+        return '<textarea name="%s" rows="%s" cols="%s">%s</textarea>'%(
+            self._formname, rows, cols, value)
 
     def email(self, escape=1):
         ''' Render the value of the property as an obscured email address
@@ -1238,12 +1238,10 @@
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
+        if not self.is_edit_ok():
+            return self.plain()
 
-        if self.is_edit_ok():
-            return self.input(type="password", name=self._formname, size=size)
-
-        return self.plain()
+        return self.input(type="password", name=self._formname, size=size)
 
     def confirm(self, size = 30):
         ''' Render a second form edit field for the property, used for
@@ -1252,13 +1250,11 @@
 
             If not editable, display nothing.
         '''
-        self.edit_check()
+        if not self.is_edit_ok():
+            return ''
 
-        if self.is_edit_ok():
-            return self.input(type="password",
-                name="@confirm@%s"%self._formname, size=size)
-
-        return ''
+        return self.input(type="password",
+            name="@confirm@%s"%self._formname, size=size)
 
 class NumberHTMLProperty(HTMLProperty):
     def plain(self):
@@ -1276,18 +1272,16 @@
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
+        if not self.is_edit_ok():
+            return self.plain()
 
         if self._value is None:
             value = ''
         else:
             value = cgi.escape(str(self._value))
 
-        if self.is_edit_ok():
-            value = '&quot;'.join(value.split('"'))
-            return self.input(name=self._formname,value=value,size=size)
-
-        return self.plain()
+        value = '&quot;'.join(value.split('"'))
+        return self.input(name=self._formname,value=value,size=size)
 
     def __int__(self):
         ''' Return an int of me
@@ -1315,8 +1309,6 @@
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
-
         if not self.is_edit_ok():
             return self.plain()
 
@@ -1368,18 +1360,18 @@
         '''
         self.view_check()
 
-	ret = date.Date('.', translator=self._client)
+        ret = date.Date('.', translator=self._client)
 
-	if isinstance(str_interval, basestring):
-		sign = 1
-		if str_interval[0] == '-':
-			sign = -1
-			str_interval = str_interval[1:]
-		interval = date.Interval(str_interval, translator=self._client)
-		if sign > 0:
-			ret = ret + interval
-		else:
-			ret = ret - interval
+        if isinstance(str_interval, basestring):
+            sign = 1
+            if str_interval[0] == '-':
+                sign = -1
+                str_interval = str_interval[1:]
+            interval = date.Interval(str_interval, translator=self._client)
+            if sign > 0:
+                ret = ret + interval
+            else:
+                ret = ret - interval
 
         return DateHTMLProperty(self._client, self._classname, self._nodeid,
             self._prop, self._formname, ret)
@@ -1391,7 +1383,6 @@
 
         The format string is a standard python strftime format string.
         '''
-        self.edit_check()
         if not self.is_edit_ok():
             if format is self._marker:
                 return self.plain()
@@ -1406,8 +1397,8 @@
                     raw_value = Date(default, translator=self._client)
                 elif isinstance(default, date.Date):
                     raw_value = default
-		elif isinstance(default, DateHTMLProperty):
-		    raw_value = default._value
+                elif isinstance(default, DateHTMLProperty):
+                    raw_value = default._value
                 else:
                     raise ValueError, _('default value for '
                         'DateHTMLProperty must be either DateHTMLProperty '
@@ -1501,18 +1492,16 @@
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
+        if not self.is_edit_ok():
+            return self.plain()
 
         if self._value is None:
             value = ''
         else:
             value = cgi.escape(str(self._value))
 
-        if self.is_edit_ok():
-            value = '&quot;'.join(value.split('"'))
-            return self.input(name=self._formname,value=value,size=size)
-
-        return self.plain()
+        value = '&quot;'.join(value.split('"'))
+        return self.input(name=self._formname,value=value,size=size)
 
 class LinkHTMLProperty(HTMLProperty):
     ''' Link HTMLProperty
@@ -1558,8 +1547,6 @@
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
-
         if not self.is_edit_ok():
             return self.plain()
 
@@ -1584,8 +1571,6 @@
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
-
         if not self.is_edit_ok():
             return self.plain()
 
@@ -1715,8 +1700,6 @@
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
-
         if not self.is_edit_ok():
             return self.plain()
 
@@ -1737,8 +1720,6 @@
 
             If not editable, just display the value via plain().
         '''
-        self.edit_check()
-
         if not self.is_edit_ok():
             return self.plain()
 
--- a/templates/classic/schema.py	Mon Jan 03 23:07:03 2005 +0000
+++ b/templates/classic/schema.py	Tue Jan 04 00:55:37 2005 +0000
@@ -106,10 +106,10 @@
 def own_record(db, userid, itemid):
     '''Determine whether the userid matches the item being accessed.'''
     return userid == itemid
-p = db.security.addPermission(name='View Self', klass='user', check=own_record,
+p = db.security.addPermission(name='View', klass='user', check=own_record,
     description="User is allowed to view their own user details")
 db.security.addPermissionToRole('User', p)
-p = db.security.addPermission(name='Edit Self', klass='user', check=own_record,
+p = db.security.addPermission(name='Edit', klass='user', check=own_record,
     description="User is allowed to edit their own user details")
 db.security.addPermissionToRole('User', p)
 
--- a/templates/minimal/schema.py	Mon Jan 03 23:07:03 2005 +0000
+++ b/templates/minimal/schema.py	Tue Jan 04 00:55:37 2005 +0000
@@ -37,10 +37,10 @@
 def own_record(db, userid, itemid):
     '''Determine whether the userid matches the item being accessed.'''
     return userid == itemid
-p = db.security.addPermission(name='View Self', klass='user', check=own_record,
+p = db.security.addPermission(name='View', klass='user', check=own_record,
     description="User is allowed to view their own user details")
 db.security.addPermissionToRole('User', p)
-p = db.security.addPermission(name='Edit Self', klass='user', check=own_record,
+p = db.security.addPermission(name='Edit', klass='user', check=own_record,
     description="User is allowed to edit their own user details")
 db.security.addPermissionToRole('User', p)
Roundup Issue Tracker: http://roundup-tracker.org/