fix permission checks in cgi interface [SF#1289557]

Richard Jones · Richard Jones · commit 0ef71a239116 · 2006-01-13T03:50:03.000Z
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -47,6 +47,7 @@ Fixed:
 - fix Date: header generation to be LOCALE-agnostic (sf bug 1352624)
 - fix admin doc description of roundup-server config file
 - fix redirect after instant registration (sf bug 1381676)
+- fix permission checks in cgi interface (sf bug 1289557)
 
 
 2005-10-07 0.8.5
diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py
@@ -1,4 +1,4 @@
-#$Id: actions.py,v 1.50 2006-01-13 03:33:29 richard Exp $
+#$Id: actions.py,v 1.51 2006-01-13 03:50:03 richard Exp $
 
 import re, cgi, StringIO, urllib, Cookie, time, random, csv
 
@@ -435,7 +435,7 @@ def _editnodes(self, all_props, all_links):
     def _changenode(self, cn, nodeid, props):
         """Change the node based on the contents of the form."""
         # check for permission
-        if not self.editItemPermission(props):
+        if not self.editItemPermission(props, classname=cn, itemid=nodeid):
             raise exceptions.Unauthorised, self._(
                 'You do not have permission to edit %(class)s'
             ) % {'class': cn}
@@ -447,7 +447,7 @@ def _changenode(self, cn, nodeid, props):
     def _createnode(self, cn, props):
         """Create a node based on the contents of the form."""
         # check for permission
-        if not self.newItemPermission(props):
+        if not self.newItemPermission(props, classname=cn):
             raise exceptions.Unauthorised, self._(
                 'You do not have permission to create %(class)s'
             ) % {'class': cn}
@@ -461,7 +461,8 @@ def isEditingSelf(self):
         return (self.nodeid == self.userid
                 and self.db.user.get(self.nodeid, 'username') != 'anonymous')
 
-    def editItemPermission(self, props):
+    _cn_marker = []
+    def editItemPermission(self, props, classname=_cn_marker, itemid=None):
         """Determine whether the user has permission to edit this item.
 
         Base behaviour is to check the user can edit this class. If we're
@@ -475,17 +476,23 @@ def editItemPermission(self, props):
                     "You do not have permission to edit user roles")
             if self.isEditingSelf():
                 return 1
-        if self.hasPermission('Edit', itemid=self.nodeid):
+        if itemid is None:
+            itemid = self.nodeid
+        if classname is self._cn_marker:
+            classname = self.classname
+        if self.hasPermission('Edit', itemid=itemid, classname=classname):
             return 1
         return 0
 
-    def newItemPermission(self, props):
+    def newItemPermission(self, props, classname=None):
         """Determine whether the user has permission to create this item.
 
         Base behaviour is to check the user can edit this class. No additional
         property checks are made.
         """
-        return self.hasPermission('Create')
+        if not classname :
+            classname = self.client.classname
+        return self.hasPermission('Create', classname=classname)
 
 class EditItemAction(EditCommon):
     def lastUserActivity(self):
