From 28a2ecfd3fa1d2276bb15b42ff305203c0f21175 Mon Sep 17 00:00:00 2001
From: richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>
Date: Thu, 12 Mar 2009 03:04:10 +0000
Subject: [PATCH] fix missed hole in the CSV editing - could still view items
 in the generic index editor

git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4182 57a73879-2fb5-44c3-a270-3262357dd7e2
---
 roundup/cgi/templating.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
index d6e6a2b..501ca3c 100644
--- a/roundup/cgi/templating.py
+++ b/roundup/cgi/templating.py
@@ -615,9 +615,16 @@ class HTMLClass(HTMLInputMixin, HTMLPermissions):
         s = StringIO.StringIO()
         writer = csv.writer(s)
         writer.writerow(props)
+        check = self._client.db.security.hasPermission
         for nodeid in self._klass.list():
             l = []
             for name in props:
+                # check permission to view this property on this item
+                if not check('View', self._client.userid, itemid=nodeid,
+                        classname=self._klass.classname, property=name):
+                    raise Unauthorised('view', self._klass.classname,
+                        translator=self._client.translator)
+                row.append(str(klass.get(itemid, name)))
                 value = self._klass.get(nodeid, name)
                 if value is None:
                     l.append('')
-- 
2.30.2