Mercurial > p > roundup > code

changeset 3075:326ad9da0b75 maint-0.8

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge from HEAD
author Richard Jones <richard@users.sourceforge.net>
date Wed, 05 Jan 2005 22:13:28 +0000
parents b3f9dee6aa76
children abdeb9b0e53a
files CHANGES.txt roundup/cgi/actions.py
diffstat 2 files changed, 7 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES.txt	Wed Jan 05 22:02:57 2005 +0000
+++ b/CHANGES.txt	Wed Jan 05 22:13:28 2005 +0000
@@ -64,6 +64,7 @@
 Fixed:
 - index args URL generation broken in .10 (sf bug 1096027)
 - handle NotModified for non-static files (sf patch 1095790)
+- fix permission lookup in query editing
 
 
 2004-10-04 0.7.10
--- a/roundup/cgi/actions.py	Wed Jan 05 22:02:57 2005 +0000
+++ b/roundup/cgi/actions.py	Wed Jan 05 22:13:28 2005 +0000
@@ -1,4 +1,4 @@
-#$Id: actions.py,v 1.40.2.1 2004-12-15 00:03:36 richard Exp $
+#$Id: actions.py,v 1.40.2.2 2005-01-05 22:13:28 richard Exp $
 
 import re, cgi, StringIO, urllib, Cookie, time, random
 
@@ -158,14 +158,13 @@
                 # edit the old way, only one query per name
                 try:
                     qid = self.db.query.lookup(queryname)
-                    if not self.hasPermission('Edit', self.classname,
-                            itemid=qid):
+                    if not self.hasPermission('Edit', 'query', itemid=qid):
                         raise exceptions.Unauthorised, self._(
                             "You do not have permission to edit queries")
                     self.db.query.set(qid, klass=self.classname, url=url)
                 except KeyError:
                     # create a query
-                    if not self.hasPermission('Create', self.classname):
+                    if not self.hasPermission('Create', 'query'):
                         raise exceptions.Unauthorised, self._(
                             "You do not have permission to store queries")
                     qid = self.db.query.create(name=queryname,
@@ -187,14 +186,13 @@
                     for qid in qids:
                         if queryname != self.db.query.get(qid, 'name'):
                             continue
-                        if not self.hasPermission('Edit', self.classname,
-                                itemid=qid):
+                        if not self.hasPermission('Edit', 'query', itemid=qid):
                             raise exceptions.Unauthorised, self._(
                             "You do not have permission to edit queries")
                         self.db.query.set(qid, klass=self.classname, url=url)
                 else:
                     # create a query
-                    if not self.hasPermission('Create', self.classname):
+                    if not self.hasPermission('Create', 'query'):
                         raise exceptions.Unauthorised, self._(
                             "You do not have permission to store queries")
                     qid = self.db.query.create(name=queryname,
@@ -492,7 +490,7 @@
         Base behaviour is to check the user can edit this class. No additional
         property checks are made.
         """
-        return self.hasPermission('Create', self.classname)
+        return self.hasPermission('Create')
 
 class EditItemAction(EditCommon):
     def lastUserActivity(self):
Roundup Issue Tracker: http://roundup-tracker.org/