fix missed hole in the CSV editing - could still view items in the generic index...

author richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>

Thu, 12 Mar 2009 03:04:10 +0000 (03:04 +0000)

committer richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>

Thu, 12 Mar 2009 03:04:10 +0000 (03:04 +0000)
author richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>
Thu, 12 Mar 2009 03:04:10 +0000 (03:04 +0000)
committer richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>
Thu, 12 Mar 2009 03:04:10 +0000 (03:04 +0000)
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py

index d6e6a2b6aa1d5eb3022b1368edb3cc0452aaef15..501ca3c213f7ffd82e1da038b6993b8ede880ac4 100644 (file)
--- a/roundup/cgi/templating.py
+++ b/roundup/cgi/templating.py
@@ -615,9 +615,16 @@ class HTMLClass(HTMLInputMixin, HTMLPermissions):
          s = StringIO.StringIO()
          writer = csv.writer(s)
          writer.writerow(props)
+        check = self._client.db.security.hasPermission
          for nodeid in self._klass.list():
              l = []
              for name in props:
+                # check permission to view this property on this item
+                if not check('View', self._client.userid, itemid=nodeid,
+                        classname=self._klass.classname, property=name):
+                    raise Unauthorised('view', self._klass.classname,
+                        translator=self._client.translator)
+                row.append(str(klass.get(itemid, name)))
                  value = self._klass.get(nodeid, name)
                  if value is None:
                      l.append('')
author	richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>
	Thu, 12 Mar 2009 03:04:10 +0000 (03:04 +0000)
committer	richard <richard@57a73879-2fb5-44c3-a270-3262357dd7e2>
	Thu, 12 Mar 2009 03:04:10 +0000 (03:04 +0000)