Restrict user creation rights in XMLRPC frontend.

git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4217 57a73879-2fb5-44c3-a270-3262357dd7e2

diff --git a/roundup/xmlrpc.py b/roundup/xmlrpc.py
index 03ef5a1c107fdc812e3f5a5d6fee9ef8866152ef..0014df36428156f831878d80478d60144a3ab3a1 100644 (file)
--- a/roundup/xmlrpc.py
+++ b/roundup/xmlrpc.py
@@ -90,6 +90,7 @@ class RoundupInstance:
         return dict(result)
 
     def create(self, classname, *args):
+        
         if not self.db.security.hasPermission('Create', self.db.getuid(), classname):
             raise Unauthorised('Permission to create %s denied'%classname)
 
@@ -103,6 +104,11 @@ class RoundupInstance:
         if key and not props.has_key(key):
             raise UsageError, 'you must provide the "%s" property.'%key
 
+        for key in props:
+            if not self.db.security.hasPermission('Edit', self.db.getuid(), classname,
+                                                  property=key):
+                raise Unauthorised('Permission to create %s denied'%classname)
+
         # do the actual create
         try:
             result = cl.create(**props)
@@ -129,7 +135,7 @@ class RoundupInstance:
     builtin_actions = {'retire': actions.Retire}
 
     def action(self, name, *args):
-        """"""
+        """Execute a named action."""
         
         if name in self.actions:
             action_type = self.actions[name]