[tokkee]

tokkee.org

Code

projects / roundup.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Proper handling of 'Create' permissions in both mail gateway (earlier
[roundup.git] / roundup / cgi / actions.py
diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py
index c19849413aff73dc169ead6b0e6ba347f8996267..36dfee3707f96a02c0c12c0cd49c70f66c8f718c 100755 (executable)
--- a/roundup/cgi/actions.py
+++ b/roundup/cgi/actions.py
@@ -551,16 +551,11 @@ class EditCommon(Action):
         if not self.hasPermission('Create', classname=classname):
             return 0
 
-        # Check Edit permission for each property, to avoid being able
+        # Check Create permission for each property, to avoid being able
         # to set restricted ones on new item creation
         for key in props:
-            if not self.hasPermission('Edit', classname=classname,
+            if not self.hasPermission('Create', classname=classname,
                                       property=key):
-                # We restrict by default and special-case allowed properties
-                if key == 'date' or key == 'content':
-                    continue
-                elif key == 'author' and props[key] == self.userid:
-                    continue
                 return 0
         return 1
 
Roundup Issue Tracker (SVN clone)