From 986cec795a9d41a849c4fbc6f1ce2802ccacd35e Mon Sep 17 00:00:00 2001 From: stefan Date: Wed, 17 Jun 2009 01:28:11 +0000 Subject: [PATCH] Make sure user has edit permission on all properties when creating items. git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4219 57a73879-2fb5-44c3-a270-3262357dd7e2 --- roundup/cgi/actions.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py index 0f42319..04b73c0 100755 --- a/roundup/cgi/actions.py +++ b/roundup/cgi/actions.py @@ -539,9 +539,25 @@ class EditCommon(Action): Base behaviour is to check the user can edit this class. No additional property checks are made. """ + if not classname : classname = self.client.classname - return self.hasPermission('Create', classname=classname) + + if not self.hasPermission('Create', classname=classname): + return 0 + + # Check Edit permission for each property, to avoid being able + # to set restricted ones on new item creation + for key in props: + if not self.hasPermission('Edit', classname=classname, + property=key): + # We restrict by default and special-case allowed properties + if key == 'date' or key == 'content': + continue + elif key == 'author' and props[key] == self.userid: + continue + return 0 + return 1 class EditItemAction(EditCommon): def lastUserActivity(self): -- 2.30.2