- Add explicit "Search" permissions, see Security Fix below.

[roundup.git] / roundup / xmlrpc.py

diff --git a/roundup/xmlrpc.py b/roundup/xmlrpc.py
index 4e0d19ad38be7f42ef49c0e405aa8d1a48fe6e64..9dda5f8aae55899b2f717baa7d8c0af6e704cff0 100644 (file)
--- a/roundup/xmlrpc.py
+++ b/roundup/xmlrpc.py
@@ -10,6 +10,7 @@ from roundup.exceptions import UsageError
 from roundup.date import Date, Range, Interval
 from roundup import actions
 from SimpleXMLRPCServer import *
+from xmlrpclib import Binary
 
 def translate(value):
     """Translate value to becomes valid for XMLRPC transmission."""
@@ -32,12 +33,19 @@ def props_from_args(db, cl, args, itemid=None):
 
     props = {}
     for arg in args:
-        if arg.find('=') == -1:
+        if isinstance(arg, Binary):
+            arg = arg.data
+        try :
+            key, value = arg.split('=', 1)
+        except ValueError :
             raise UsageError, 'argument "%s" not propname=value'%arg
-        l = arg.split('=')
-        if len(l) < 2:
-            raise UsageError, 'argument "%s" not propname=value'%arg
-        key, value = l[0], '='.join(l[1:])
+        if isinstance(key, unicode):
+            try:
+                key = key.encode ('ascii')
+            except UnicodeEncodeError:
+                raise UsageError, 'argument %r is no valid ascii keyword'%key
+        if isinstance(value, unicode):
+            value = value.encode('utf-8')
         if value:
             try:
                 props[key] = hyperdb.rawToHyperdb(db, cl, itemid,
@@ -81,8 +89,15 @@ class RoundupInstance:
     def filter(self, classname, search_matches, filterspec,
                sort=[], group=[]):
         cl = self.db.getclass(classname)
+        uid = self.db.getuid()
+        security = self.db.security
+        filterspec = security.filterFilterspec (uid, classname, filterspec)
+        sort = security.filterSortspec (uid, classname, sort)
+        group = security.filterSortspec (uid, classname, group)
         result = cl.filter(search_matches, filterspec, sort=sort, group=group)
-        return result
+        check = security.hasPermission
+        x = [id for id in result if check('View', uid, classname, itemid=id)]
+        return x
 
     def display(self, designator, *properties):
         classname, itemid = hyperdb.splitDesignator(designator)
@@ -113,9 +128,9 @@ class RoundupInstance:
             raise UsageError, 'you must provide the "%s" property.'%key
 
         for key in props:
-            if not self.db.security.hasPermission('Edit', self.db.getuid(), classname,
-                                                  property=key):
-                raise Unauthorised('Permission to set %s.%s denied'%(classname, key))
+            if not self.db.security.hasPermission('Create', self.db.getuid(),
+                classname, property=key):
+                raise Unauthorised('Permission to create %s.%s denied'%(classname, key))
 
         # do the actual create
         try:
@@ -165,7 +180,12 @@ class RoundupDispatcher(SimpleXMLRPCDispatcher):
     def __init__(self, db, actions, translator,
                  allow_none=False, encoding=None):
 
-        SimpleXMLRPCDispatcher.__init__(self, allow_none, encoding)
+        try:
+            # python2.5 and beyond
+            SimpleXMLRPCDispatcher.__init__(self, allow_none, encoding)
+        except TypeError:
+            # python2.4
+            SimpleXMLRPCDispatcher.__init__(self)
         self.register_instance(RoundupInstance(db, actions, translator))