From: richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>
Date: Thu, 12 Mar 2009 03:04:10 +0000 (+0000)
Subject: fix missed hole in the CSV editing - could still view items in the generic index... 
X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=28a2ecfd3fa1d2276bb15b42ff305203c0f21175;p=roundup.git

fix missed hole in the CSV editing - could still view items in the generic index editor

git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4182 57a73879-2fb5-44c3-a270-3262357dd7e2
---

diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
index d6e6a2b..501ca3c 100644
--- a/roundup/cgi/templating.py
+++ b/roundup/cgi/templating.py
@@ -615,9 +615,16 @@ class HTMLClass(HTMLInputMixin, HTMLPermissions):
         s = StringIO.StringIO()
         writer = csv.writer(s)
         writer.writerow(props)
+        check = self._client.db.security.hasPermission
         for nodeid in self._klass.list():
             l = []
             for name in props:
+                # check permission to view this property on this item
+                if not check('View', self._client.userid, itemid=nodeid,
+                        classname=self._klass.classname, property=name):
+                    raise Unauthorised('view', self._klass.classname,
+                        translator=self._client.translator)
+                row.append(str(klass.get(itemid, name)))
                 value = self._klass.get(nodeid, name)
                 if value is None:
                     l.append('')