Mercurial > p > roundup > code
changeset 2002:b046b65e51db
if you're going to enforce class-level permissions...
...then enforce them at the class level
| author | Richard Jones <richard@users.sourceforge.net> |
|---|---|
| date | Wed, 11 Feb 2004 00:22:20 +0000 |
| parents | 1e96ed79f0c3 |
| children | a291bf753037 |
| files | roundup/cgi/templating.py |
| diffstat | 1 files changed, 21 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/roundup/cgi/templating.py Wed Feb 11 00:21:46 2004 +0000 +++ b/roundup/cgi/templating.py Wed Feb 11 00:22:20 2004 +0000 @@ -874,7 +874,7 @@ ''' Is the user allowed to View the current class? Also check whether this is the current user's info. ''' - return self._db.security.hasPermission('Edit', self._client.userid, + return self._db.security.hasPermission('View', self._client.userid, self._classname) or (self._nodeid == self._client.userid and self._db.user.get(self._client.userid, 'username') != 'anonymous') @@ -915,6 +915,26 @@ return cmp(self._value, other._value) return cmp(self._value, other) + def is_edit_ok(self): + ''' Is the user allowed to Edit the current class? + ''' + thing = HTMLDatabase(self._client)[self._classname] + if self._nodeid: + # this is a special-case for the User class where permission's + # on a per-item basis :( + thing = thing.getItem(self._nodeid) + return thing.is_edit_ok() + + def is_view_ok(self): + ''' Is the user allowed to View the current class? + ''' + thing = HTMLDatabase(self._client)[self._classname] + if self._nodeid: + # this is a special-case for the User class where permission's + # on a per-item basis :( + thing = thing.getItem(self._nodeid) + return thing.is_view_ok() + class StringHTMLProperty(HTMLProperty): hyper_re = re.compile(r'((?P<url>\w{3,6}://\S+)|' r'(?P<email>[-+=%/\w\.]+@[\w\.\-]+)|'