From: stefan <stefan@57a73879-2fb5-44c3-a270-3262357dd7e2>
Date: Thu, 12 Feb 2009 05:05:12 +0000 (+0000)
Subject: fix issue2550502
X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=f141e7d05bcb9b0aa26d084fde384e3eb405f418;p=roundup.git

fix issue2550502

git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4121 57a73879-2fb5-44c3-a270-3262357dd7e2
---

diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py
index ac43e4c..136fb99 100755
--- a/roundup/cgi/actions.py
+++ b/roundup/cgi/actions.py
@@ -59,12 +59,12 @@ class Action:
                 '%(action)s the %(classname)s class.')%info
 
     _marker = []
-    def hasPermission(self, permission, classname=_marker, itemid=None):
+    def hasPermission(self, permission, classname=_marker, itemid=None, property=None):
         """Check whether the user has 'permission' on the current class."""
         if classname is self._marker:
             classname = self.client.classname
         return self.db.security.hasPermission(permission, self.client.userid,
-            classname=classname, itemid=itemid)
+            classname=classname, itemid=itemid, property=property)
 
     def gettext(self, msgid):
         """Return the localized translation of msgid"""
@@ -486,26 +486,22 @@ class EditCommon(Action):
 
     _cn_marker = []
     def editItemPermission(self, props, classname=_cn_marker, itemid=None):
-        """Determine whether the user has permission to edit this item.
-
-        Base behaviour is to check the user can edit this class. If we're
-        editing the "user" class, users are allowed to edit their own details.
-        Unless it's the "roles" property, which requires the special Permission
-        "Web Roles".
-        """
-        if self.classname == 'user':
-            if props.has_key('roles') and not self.hasPermission('Web Roles'):
-                raise exceptions.Unauthorised, self._(
-                    "You do not have permission to edit user roles")
-            if self.isEditingSelf():
-                return 1
+        """Determine whether the user has permission to edit this item."""
         if itemid is None:
             itemid = self.nodeid
         if classname is self._cn_marker:
             classname = self.classname
-        if self.hasPermission('Edit', itemid=itemid, classname=classname):
-            return 1
-        return 0
+        # The user must have permission to edit each of the properties
+        # being changed.
+        for p in props:
+            if not self.hasPermission('Edit',
+                                      itemid=itemid,
+                                      classname=classname,
+                                      property=p):
+                return 0
+        # Since the user has permission to edit all of the properties,
+        # the edit is OK.
+        return 1
 
     def newItemPermission(self, props, classname=None):
         """Determine whether the user has permission to create this item.