Mercurial > p > roundup > code
changeset 4126:e67379669e11
Make sure user has edit permission on all properties when creating items.
| author | Stefan Seefeld <stefan@seefeld.name> |
|---|---|
| date | Wed, 17 Jun 2009 01:28:11 +0000 |
| parents | d499c3499d18 |
| children | 6609f944fb0c |
| files | roundup/cgi/actions.py |
| diffstat | 1 files changed, 17 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/roundup/cgi/actions.py Wed Jun 17 01:26:34 2009 +0000 +++ b/roundup/cgi/actions.py Wed Jun 17 01:28:11 2009 +0000 @@ -539,9 +539,25 @@ Base behaviour is to check the user can edit this class. No additional property checks are made. """ + if not classname : classname = self.client.classname - return self.hasPermission('Create', classname=classname) + + if not self.hasPermission('Create', classname=classname): + return 0 + + # Check Edit permission for each property, to avoid being able + # to set restricted ones on new item creation + for key in props: + if not self.hasPermission('Edit', classname=classname, + property=key): + # We restrict by default and special-case allowed properties + if key == 'date' or key == 'content': + continue + elif key == 'author' and props[key] == self.userid: + continue + return 0 + return 1 class EditItemAction(EditCommon): def lastUserActivity(self):