Make properties method return only properties the user can search.

rouilj · rouilj · commit 0d78cf9f57ce · 2017-04-05T21:38:32.000-04:00
See: https://sourceforge.net/p/roundup/mailman/roundup-devel/thread/20170405002844.2004B80690%40vm71.cs.umb.edu/#msg35769250 [Roundup-devel] Bug in context/properties, lists properties user can't search. The HTMLClass::properties() method returns a list of all properties. This is used when creating sort on/group by filters on index pages. However somewhere in the code, a user needs search permission on the property in order for it to be used for grouping or sorting. This means the user can choose to sort/group an index page by a property that they have no search permission for. As a result the sort/group is ignored. This is confusing. I have changed the properties method to only return properties the user has View/Search permissions on. I also added a new cansearch argument set by default to True. If set to False, all properties regardless of Search permission are returned. Doc updated to include the new default operation and mention the use of cansearch argument.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -413,6 +413,11 @@ Fixed:
   will not add the arg to the url. In the example above @queryname
   will only be in the url if dispname is set in the request.
   (John Rouillard)
+- The HTMLClass::properties() method produced a list of properties
+  that the user could not search. As a result these properties can not
+  be used for sorting or grouping index pages. This patch eliminates
+  the confusion that results from this mismatch by verifying that all
+  properties returned are searchable. (John Rouillard)
 
 2016-01-11: 1.5.1
 
diff --git a/doc/customizing.txt b/doc/customizing.txt
@@ -2354,7 +2354,8 @@ There are several methods available on these wrapper objects:
 Method      Description
 =========== =============================================================
 properties  return a `hyperdb property wrapper`_ for all of this class's
-            properties.
+            properties that are searchable by the user. You can use
+            the argument cansearch=False to get all properties.
 list        lists all of the active (not retired) items in the class.
 csv         return the items of this class as a chunk of CSV text.
 propnames   lists the names of the properties of this class.
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
@@ -596,11 +596,20 @@ def getItem(self, itemid, num_re=num_re):
 
         return HTMLItem(self._client, self.classname, itemid)
 
-    def properties(self, sort=1):
-        """ Return HTMLProperty for all of this class' properties.
+    def properties(self, sort=1, cansearch=True):
+        """ Return HTMLProperty for allowed class' properties.
+
+            To return all properties call it with cansearch=False
+            and it will return properties the user is unable to
+            search.
         """
         l = []
+        canSearch=self._db.security.hasSearchPermission
+        userid=self._client.userid
         for name, prop in self._props.items():
+            if cansearch and \
+               not canSearch(userid, self._classname, name):
+                continue
             for klass, htmlklass in propclasses:
                 if isinstance(prop, klass):
                     value = prop.get_default_value()
