From 22806d3285253a508bb8176abc7b91bc03f2e4d6 Mon Sep 17 00:00:00 2001
From: stefan <stefan@57a73879-2fb5-44c3-a270-3262357dd7e2>
Date: Wed, 17 Jun 2009 01:26:04 +0000
Subject: [PATCH] Restrict user creation rights in XMLRPC frontend.

git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4217 57a73879-2fb5-44c3-a270-3262357dd7e2
---
 roundup/xmlrpc.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/roundup/xmlrpc.py b/roundup/xmlrpc.py
index 03ef5a1..0014df3 100644
--- a/roundup/xmlrpc.py
+++ b/roundup/xmlrpc.py
@@ -90,6 +90,7 @@ class RoundupInstance:
         return dict(result)
 
     def create(self, classname, *args):
+        
         if not self.db.security.hasPermission('Create', self.db.getuid(), classname):
             raise Unauthorised('Permission to create %s denied'%classname)
 
@@ -103,6 +104,11 @@ class RoundupInstance:
         if key and not props.has_key(key):
             raise UsageError, 'you must provide the "%s" property.'%key
 
+        for key in props:
+            if not self.db.security.hasPermission('Edit', self.db.getuid(), classname,
+                                                  property=key):
+                raise Unauthorised('Permission to create %s denied'%classname)
+
         # do the actual create
         try:
             result = cl.create(**props)
@@ -129,7 +135,7 @@ class RoundupInstance:
     builtin_actions = {'retire': actions.Retire}
 
     def action(self, name, *args):
-        """"""
+        """Execute a named action."""
         
         if name in self.actions:
             action_type = self.actions[name]
-- 
2.30.2