@@ -72,7 +72,7 @@ class node. Any parts of other types are each stored in separate files
7272an exception, the original message is bounced back to the sender with the
7373explanatory message given in the exception.
7474
75- $Id: mailgw.py,v 1.170 2006-01-20 03:04:14 richard Exp $
75+ $Id: mailgw.py,v 1.171 2006-01-25 03:20:35 richard Exp $
7676"""
7777__docformat__ = 'restructuredtext'
7878
@@ -849,10 +849,14 @@ def handle_message(self, message):
849849 raise Unauthorized , 'You are not permitted to access ' \
850850 'this tracker.'
851851
852- # make sure they're allowed to edit this class of information
853- if not self .db .security .hasPermission ('Edit' , author , classname ):
854- raise Unauthorized , 'You are not permitted to edit %s.' % classname
855-
852+ # make sure they're allowed to edit or create this class of information
853+ if nodeid :
854+ if not self .db .security .hasPermission ('Edit' , author , classname ):
855+ raise Unauthorized , 'You are not permitted to edit %s.' % classname
856+ else :
857+ if not self .db .security .hasPermission ('Create' , author , classname ):
858+ raise Unauthorized , 'You are not permitted to create %s.' % classname
859+
856860 # the author may have been created - make sure the change is
857861 # committed before we reopen the database
858862 self .db .commit ()
@@ -946,6 +950,8 @@ def handle_message(self, message):
946950 if properties .has_key ('files' ):
947951 files = []
948952 for (name , mime_type , data ) in attachments :
953+ if not self .db .security .hasPermission ('Create' , author , 'file' ):
954+ raise Unauthorized , 'You are not permitted to create files.'
949955 if not name :
950956 name = "unnamed"
951957 try :
@@ -956,6 +962,9 @@ def handle_message(self, message):
956962 else :
957963 files .append (fileid )
958964 # attach the files to the issue
965+ if not self .db .security .hasPermission ('Edit' , author , classname , 'files' ):
966+ raise Unauthorized , 'You are not permitted to add files to %s.' % classname
967+
959968 if nodeid :
960969 # extend the existing files list
961970 fileprop = cl .get (nodeid , 'files' )
@@ -969,6 +978,9 @@ def handle_message(self, message):
969978 # create the message if there's a message body (content)
970979 #
971980 if (content and properties .has_key ('messages' )):
981+ if not self .db .security .hasPermission ('Create' , author , 'msg' ):
982+ raise Unauthorized , 'You are not permitted to create messages.'
983+
972984 try :
973985 message_id = self .db .msg .create (author = author ,
974986 recipients = recipients , date = date .Date ('.' ),
@@ -980,6 +992,9 @@ def handle_message(self, message):
980992%s
981993''' % error
982994 # attach the message to the node
995+ if not self .db .security .hasPermission ('Edit' , author , classname , 'messages' ):
996+ raise Unauthorized , 'You are not permitted to add messages to %s.' % classname
997+
983998 if nodeid :
984999 # add the message to the node's list
9851000 messages = cl .get (nodeid , 'messages' )
@@ -999,6 +1014,12 @@ def handle_message(self, message):
9991014 for prop in issue_props .keys () :
10001015 if not props .has_key (prop ) :
10011016 props [prop ] = issue_props [prop ]
1017+
1018+ # Check permissions for each property
1019+ for prop in props .keys ():
1020+ if not self .db .security .hasPermission ('Edit' , author , classname , prop ):
1021+ raise Unauthorized , 'You are not permitted to edit property %s of class %s.' % (prop ,classname )
1022+
10021023 if nodeid :
10031024 cl .set (nodeid , ** props )
10041025 else :
0 commit comments