From dcfe0807025c5c666526cec72e9ab68af390c12b Mon Sep 17 00:00:00 2001 From: richard Date: Wed, 11 Feb 2004 00:22:20 +0000 Subject: [PATCH] if you're going to enforce class-level permissions, then enforce them at the class level git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/trunk@2070 57a73879-2fb5-44c3-a270-3262357dd7e2 --- roundup/cgi/templating.py | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py index 49242ef..1305cd9 100644 --- a/roundup/cgi/templating.py +++ b/roundup/cgi/templating.py @@ -874,7 +874,7 @@ class HTMLUser(HTMLItem): ''' Is the user allowed to View the current class? Also check whether this is the current user's info. ''' - return self._db.security.hasPermission('Edit', self._client.userid, + return self._db.security.hasPermission('View', self._client.userid, self._classname) or (self._nodeid == self._client.userid and self._db.user.get(self._client.userid, 'username') != 'anonymous') @@ -915,6 +915,26 @@ class HTMLProperty(HTMLInputMixin, HTMLPermissions): return cmp(self._value, other._value) return cmp(self._value, other) + def is_edit_ok(self): + ''' Is the user allowed to Edit the current class? + ''' + thing = HTMLDatabase(self._client)[self._classname] + if self._nodeid: + # this is a special-case for the User class where permission's + # on a per-item basis :( + thing = thing.getItem(self._nodeid) + return thing.is_edit_ok() + + def is_view_ok(self): + ''' Is the user allowed to View the current class? + ''' + thing = HTMLDatabase(self._client)[self._classname] + if self._nodeid: + # this is a special-case for the User class where permission's + # on a per-item basis :( + thing = thing.getItem(self._nodeid) + return thing.is_view_ok() + class StringHTMLProperty(HTMLProperty): hyper_re = re.compile(r'((?P\w{3,6}://\S+)|' r'(?P[-+=%/\w\.]+@[\w\.\-]+)|' -- 2.30.2