merge OLD changes from HEAD

Richard Jones · Richard Jones · commit 007b38f13260 · 2005-02-15T22:48:14.000Z
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
@@ -560,10 +560,16 @@ def list(self, sort_on=None):
         '''
         # get the list and sort it nicely
         l = self._klass.list()
-        sortfunc = make_sort_function(self._db, self.classname, sort_on)
+        sortfunc = make_sort_function(self._db, self._classname, sort_on)
         l.sort(sortfunc)
 
-        l = [HTMLItem(self._client, self.classname, x) for x in l]
+        # check perms
+        check = self._client.db.security.hasPermission
+        userid = self._client.userid
+
+        l = [HTMLItem(self._client, self._classname, id) for id in l
+            if check('View', userid, self._classname, itemid=id)]
+
         return l
 
     def csv(self):
@@ -604,8 +610,13 @@ def filter(self, request=None, filterspec={}, sort=(None,None),
             filterspec = request.filterspec
             sort = request.sort
             group = request.group
+
+        check = self._db.security.hasPermission
+        userid = self._client.userid
+
         l = [HTMLItem(self._client, self.classname, x)
-             for x in self._klass.filter(None, filterspec, sort, group)]
+             for id in self._klass.filter(None, filterspec, sort, group)
+             if check('View', userid, self.classname, itemid=id)]
         return l
 
     def classhelp(self, properties=None, label=''"(list)", width='500',
@@ -1676,6 +1687,27 @@ def menu(self, size=None, height=None, showid=0, additional=[],
         return '\n'.join(l)
 #    def checklist(self, ...)
 
+class MultilinkIterator:
+    def __init__(self, classname, client, values):
+        self.classname = classname
+        self.client = client
+        self.values = values
+        self.id = -1
+    def next(self):
+        '''Return the next item, but skip inaccessible items.'''
+        check = self.client.db.security.hasPermission
+        userid = self.client.userid
+        while 1:
+            self.id += 1
+            if self.id >= len(self.values):
+                raise StopIteration
+            value = self.values[self.id]
+            if check('View', userid, self.classname, itemid=value):
+                return HTMLItem(self.client, self.classname, value)
+    def __iter__(self):
+        return self
+
+
 class MultilinkHTMLProperty(HTMLProperty):
     ''' Multilink HTMLProperty
 
@@ -1698,16 +1730,22 @@ def __getattr__(self, attr):
         ''' no extended attribute accesses make sense here '''
         raise AttributeError, attr
 
-    def __getitem__(self, num):
+    def __iter__(self):
         ''' iterate and return a new HTMLItem
         '''
-       #print 'Multi.getitem', (self, num)
-        value = self._value[num]
-        return HTMLItem(self._client, self._prop.classname, value)
+        return MultilinkIterator(self._prop.classname, self._client,
+            self._value)
+
+    def reverse(self):
+        ''' return the list in reverse order
+        '''
+        l = self._value[:]
+        l.reverse()
+        return MultilinkIterator(self._prop.classname, self._client, l)
 
     def sorted(self, property):
         ''' Return this multilink sorted by the given property '''
-        value = list(self._value[num])
+        value = list(self.__iter__())
         value.sort(lambda a,b:cmp(a[property], b[property]))
         return value
 
@@ -1721,14 +1759,6 @@ def isset(self):
         '''Is my _value not []?'''
         return self._value != []
 
-    def reverse(self):
-        ''' return the list in reverse order
-        '''
-        l = self._value[:]
-        l.reverse()
-        return [HTMLItem(self._client, self._prop.classname, value)
-            for value in l]
-
     def plain(self, escape=0):
         ''' Render a "plain" representation of the property
         '''
@@ -1766,7 +1796,7 @@ def field(self, size=30, showid=0):
 
     def menu(self, size=None, height=None, showid=0, additional=[],
             sort_on=None, **conditions):
-        ''' Render a form select list for this property
+        ''' Render a form <select> list for this property.
 
             "size" is used to limit the length of the list labels
             "height" is used to set the <select> tag's "size" attribute
@@ -2183,7 +2213,12 @@ def batch(self):
                 re.findall(r'\b\w{2,25}\b', self.search_text), klass)
         else:
             matches = None
-        l = klass.filter(matches, filterspec, sort, group)
+
+        # filter for visibility
+        check = self._client.db.security.hasPermission
+        userid = self._client.userid
+        l = [id for id in klass.filter(matches, filterspec, sort, group)
+            if check('View', userid, self.classname, itemid=id)]
 
         # return the batch object, using IDs only
         return Batch(self.client, l, self.pagesize, self.startwith,
