From 22806d3285253a508bb8176abc7b91bc03f2e4d6 Mon Sep 17 00:00:00 2001 From: stefan Date: Wed, 17 Jun 2009 01:26:04 +0000 Subject: [PATCH] Restrict user creation rights in XMLRPC frontend. git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4217 57a73879-2fb5-44c3-a270-3262357dd7e2 --- roundup/xmlrpc.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/roundup/xmlrpc.py b/roundup/xmlrpc.py index 03ef5a1..0014df3 100644 --- a/roundup/xmlrpc.py +++ b/roundup/xmlrpc.py @@ -90,6 +90,7 @@ class RoundupInstance: return dict(result) def create(self, classname, *args): + if not self.db.security.hasPermission('Create', self.db.getuid(), classname): raise Unauthorised('Permission to create %s denied'%classname) @@ -103,6 +104,11 @@ class RoundupInstance: if key and not props.has_key(key): raise UsageError, 'you must provide the "%s" property.'%key + for key in props: + if not self.db.security.hasPermission('Edit', self.db.getuid(), classname, + property=key): + raise Unauthorised('Permission to create %s denied'%classname) + # do the actual create try: result = cl.create(**props) @@ -129,7 +135,7 @@ class RoundupInstance: builtin_actions = {'retire': actions.Retire} def action(self, name, *args): - """""" + """Execute a named action.""" if name in self.actions: action_type = self.actions[name] -- 2.30.2