Make sure user has edit permission on all properties when creating items.

author stefan <stefan@57a73879-2fb5-44c3-a270-3262357dd7e2>

Wed, 17 Jun 2009 01:28:11 +0000 (01:28 +0000)

committer stefan <stefan@57a73879-2fb5-44c3-a270-3262357dd7e2>

Wed, 17 Jun 2009 01:28:11 +0000 (01:28 +0000)
author stefan <stefan@57a73879-2fb5-44c3-a270-3262357dd7e2>
Wed, 17 Jun 2009 01:28:11 +0000 (01:28 +0000)
committer stefan <stefan@57a73879-2fb5-44c3-a270-3262357dd7e2>
Wed, 17 Jun 2009 01:28:11 +0000 (01:28 +0000)
diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py

index 0f42319da3eff1359dc7168959a4973082dea139..04b73c015101e563825667a357c85c311759d420 100755 (executable)
--- a/roundup/cgi/actions.py
+++ b/roundup/cgi/actions.py
@@ -539,9 +539,25 @@ class EditCommon(Action):
          Base behaviour is to check the user can edit this class. No additional
          property checks are made.
          """
+
          if not classname :
              classname = self.client.classname
-        return self.hasPermission('Create', classname=classname)
+        
+        if not self.hasPermission('Create', classname=classname):
+            return 0
+
+        # Check Edit permission for each property, to avoid being able
+        # to set restricted ones on new item creation
+        for key in props:
+            if not self.hasPermission('Edit', classname=classname,
+                                      property=key):
+                # We restrict by default and special-case allowed properties
+                if key == 'date' or key == 'content':
+                    continue
+                elif key == 'author' and props[key] == self.userid:
+                    continue
+                return 0
+        return 1
  
  class EditItemAction(EditCommon):
      def lastUserActivity(self):
author	stefan <stefan@57a73879-2fb5-44c3-a270-3262357dd7e2>
	Wed, 17 Jun 2009 01:28:11 +0000 (01:28 +0000)
committer	stefan <stefan@57a73879-2fb5-44c3-a270-3262357dd7e2>
	Wed, 17 Jun 2009 01:28:11 +0000 (01:28 +0000)