From d9945769f490781c800848db8d7868e4562ad7a5 Mon Sep 17 00:00:00 2001 From: richard Date: Thu, 19 Feb 2004 02:39:05 +0000 Subject: [PATCH] fix permission handling around rego git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/trunk@2100 57a73879-2fb5-44c3-a270-3262357dd7e2 --- roundup/backends/sessions.py | 7 ++-- roundup/cgi/actions.py | 20 +++++------ roundup/cgi/templating.py | 69 ++++++++++++++++++++++++++---------- 3 files changed, 65 insertions(+), 31 deletions(-) diff --git a/roundup/backends/sessions.py b/roundup/backends/sessions.py index addeb90..60a1796 100644 --- a/roundup/backends/sessions.py +++ b/roundup/backends/sessions.py @@ -1,4 +1,4 @@ -#$Id: sessions.py,v 1.7 2004-02-11 23:55:09 richard Exp $ +#$Id: sessions.py,v 1.8 2004-02-19 02:39:05 richard Exp $ """This module defines a very basic store that's used by the CGI interface to store session and one-time-key information. @@ -59,7 +59,10 @@ class BasicDatabase: def getall(self, infoid): db = self.opendb('c') try: - return marshal.loads(db[infoid]) + try: + return marshal.loads(db[infoid]) + except KeyError: + raise KeyError, 'No such One Time Key "%s"'%infoid finally: db.close() diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py index 196ad5d..43346c2 100755 --- a/roundup/cgi/actions.py +++ b/roundup/cgi/actions.py @@ -619,7 +619,6 @@ class ConfRegoAction(Action): # pull the rego information out of the otk database self.userid = self.db.confirm_registration(self.form['otk'].value) except (ValueError, KeyError), message: - # XXX: we need to make the "default" page be able to display errors! self.client.error_message.append(str(message)) return @@ -627,11 +626,10 @@ class ConfRegoAction(Action): self.client.user = self.db.user.get(self.userid, 'username') # re-open the database for real, using the user self.client.opendb(self.client.user) - self.db = client.db # if we have a session, update it if hasattr(self, 'session'): - self.db.sessions.set(self.session, user=self.user, + self.client.db.sessions.set(self.session, user=self.user, last_use=time.time()) else: # new session cookie @@ -642,7 +640,7 @@ class ConfRegoAction(Action): # redirect to the user's page raise Redirect, '%suser%s?@ok_message=%s'%(self.base, - self.userid, urllib.quote(message)) + self.userid, urllib.quote(message)) class RegisterAction(Action): name = 'register' @@ -654,16 +652,18 @@ class RegisterAction(Action): Return 1 on successful login. """ - props = self.client.parsePropsFromForm()[0][('user', None)] + props = self.client.parsePropsFromForm(create=1)[0][('user', None)] # registration isn't allowed to supply roles if props.has_key('roles'): - raise Unauthorised, _("It is not permitted to supply roles at registration.") + raise Unauthorised, _("It is not permitted to supply roles " + "at registration.") + username = props['username'] try: - self.db.user.lookup(props['username']) - self.client.error_message.append('Error: A user with the username "%s" ' - 'already exists'%props['username']) + self.db.user.lookup(username) + self.client.error_message.append(_('Error: A user with the ' + 'username "%(username)s" already exists')%props) return except KeyError: pass @@ -686,7 +686,7 @@ class RegisterAction(Action): # send the email tracker_name = self.db.config.TRACKER_NAME tracker_email = self.db.config.TRACKER_EMAIL - subject = 'Complete your registration to %s -- key %s' % (tracker_name, + subject = 'Complete your registration to %s -- key %s'%(tracker_name, otk) body = """To complete your registration of the user "%(name)s" with %(tracker)s, please do one of the following: diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py index f91d65a..1a807f9 100644 --- a/roundup/cgi/templating.py +++ b/roundup/cgi/templating.py @@ -205,7 +205,10 @@ class RoundupPageTemplate(PageTemplate.PageTemplate): c['context'] = HTMLItem(client, classname, client.nodeid, anonymous=1) elif client.db.classes.has_key(classname): - c['context'] = HTMLClass(client, classname, anonymous=1) + if classname == 'user': + c['context'] = HTMLUserClass(client, classname, anonymous=1) + else: + c['context'] = HTMLClass(client, classname, anonymous=1) return c def render(self, client, classname, request, **options): @@ -253,6 +256,8 @@ class HTMLDatabase: return HTMLItem(self._client, m.group('cl'), m.group('id')) else: self._client.db.getclass(item) + if item == 'user': + return HTMLUserClass(self._client, item) return HTMLClass(self._client, item) def __getattr__(self, attr): @@ -264,7 +269,12 @@ class HTMLDatabase: def classes(self): l = self._client.db.classes.keys() l.sort() - return [HTMLClass(self._client, cn) for cn in l] + r = [] + for item in l: + if item == 'user': + m.append(HTMLUserClass(self._client, item)) + m.append(HTMLClass(self._client, item)) + return r def lookupIds(db, prop, ids, num_re=re.compile('-?\d+')): cl = db.getclass(prop.classname) @@ -850,7 +860,44 @@ class HTMLItem(HTMLInputMixin, HTMLPermissions): # use our fabricated request return pt.render(self._client, req.classname, req) -class HTMLUser(HTMLItem): +class HTMLUserPermission: + + def is_edit_ok(self): + ''' Is the user allowed to Edit the current class? + Also check whether this is the current user's info. + ''' + return self._user_perm_check('Edit') + + def is_view_ok(self): + ''' Is the user allowed to View the current class? + Also check whether this is the current user's info. + ''' + return self._user_perm_check('View') + + def _user_perm_check(self, type): + # some users may view / edit all users + s = self._db.security + userid = self._client.userid + if s.hasPermission(type, userid, self._classname): + return 1 + + # users may view their own info + is_anonymous = self._db.user.get(userid, 'username') == 'anonymous' + if getattr(self, '_nodeid', None) == userid and not is_anonymous: + return 1 + + # may anonymous users register? + if (is_anonymous and s.hasPermission('Web Registration', userid, + self._classname)): + return 1 + + # nope, no access here + return 0 + +class HTMLUserClass(HTMLUserPermission, HTMLClass): + pass + +class HTMLUser(HTMLUserPermission, HTMLItem): ''' Accesses through the *user* (a special case of item) ''' def __init__(self, client, classname, nodeid, anonymous=0): @@ -871,22 +918,6 @@ class HTMLUser(HTMLItem): classname = self._default_classname return self._security.hasPermission(permission, self._nodeid, classname) - def is_edit_ok(self): - ''' Is the user allowed to Edit the current class? - Also check whether this is the current user's info. - ''' - return self._db.security.hasPermission('Edit', self._client.userid, - self._classname) or (self._nodeid == self._client.userid and - self._db.user.get(self._client.userid, 'username') != 'anonymous') - - def is_view_ok(self): - ''' Is the user allowed to View the current class? - Also check whether this is the current user's info. - ''' - return self._db.security.hasPermission('View', self._client.userid, - self._classname) or (self._nodeid == self._client.userid and - self._db.user.get(self._client.userid, 'username') != 'anonymous') - class HTMLProperty(HTMLInputMixin, HTMLPermissions): ''' String, Number, Date, Interval HTMLProperty -- 2.30.2