fix security check for hasPermission(Permission, None)

Richard Jones · Richard Jones · commit 26e9a2bc7e3e · 2006-02-03T04:04:37.000Z
add hasRole to HTMLUser
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -4,11 +4,14 @@ are given with the most recent entry first.
 2006-??-?? 1.0.1
 Feature:
 - scripts/import_sf.py will import a tracker from Sourceforge.NET
+- added hasRole() to HTMLUser
 
 Fixed:
 - SQL generation for sort/group by separate Link properties (sf bug
   1417565)
 - fix timezone offsetting in email Date: header
+- fix security check for hasPermission('Permission', None)
+
 
 2006-01-27 1.0
 Feature:
diff --git a/doc/customizing.txt b/doc/customizing.txt
@@ -2,7 +2,7 @@
 Customising Roundup
 ===================
 
-:Version: $Revision: 1.190 $
+:Version: $Revision: 1.191 $
 
 .. This document borrows from the ZopeBook section on ZPT. The original is at:
    http://www.zope.org/Documentation/Books/ZopeBook/current/ZPT.stx
@@ -1916,6 +1916,11 @@ hasPermission   specific to the "user" class - determine whether the
                         [property=], [itemid=])
 
                 where the classname defaults to the current context.
+hasRole         specific to the "user" class - determine whether the
+                user has a Role. The signature is::
+
+                    hasRole(self, rolename)
+
 is_edit_ok      is the user allowed to Edit the current item?
 is_view_ok      is the user allowed to View the current item?
 is_retired      is the item retired?
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
@@ -1119,9 +1119,16 @@ def hasPermission(self, permission, classname=_marker,
         '''
         if classname is self._marker:
             classname = self._client.classname
-        return self._client.db.security.hasPermission(permission,
+        return self._db.security.hasPermission(permission,
             self._nodeid, classname, property, itemid)
 
+    def hasRole(self, rolename):
+        '''Determine whether the user has the Role.'''
+        roles = self._db.user.get(self._nodeid, 'roles').split(',')
+        for role in roles:
+            if role.strip() == rolename: return True
+        return False
+
 def HTMLItem(client, classname, nodeid, anonymous=0):
     if classname == 'user':
         return _HTMLUser(client, classname, nodeid, anonymous)
diff --git a/roundup/security.py b/roundup/security.py
@@ -39,8 +39,7 @@ def test(self, db, permission, classname, property, userid, itemid):
             return 0
 
         # are we checking the correct class
-        if (classname is not None and self.klass is not None
-                and self.klass != classname):
+        if self.klass is not None and self.klass != classname:
             return 0
 
         # what about property?
diff --git a/test/test_security.py b/test/test_security.py
@@ -18,7 +18,7 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 
-# $Id: test_security.py,v 1.9 2005-01-28 04:07:58 richard Exp $
+# $Id: test_security.py,v 1.10 2006-02-03 04:04:37 richard Exp $
 
 import os, unittest, shutil
 
@@ -41,18 +41,28 @@ def testInterfaceSecurity(self):
         # TODO: some asserts
 
     def testInitialiseSecurity(self):
-        ''' Create some Permissions and Roles on the security object
-
-            This function is directly invoked by security.Security.__init__()
-            as a part of the Security object instantiation.
-        '''
         ei = self.db.security.addPermission(name="Edit", klass="issue",
                         description="User is allowed to edit issues")
         self.db.security.addPermissionToRole('User', ei)
         ai = self.db.security.addPermission(name="View", klass="issue",
                         description="User is allowed to access issues")
         self.db.security.addPermissionToRole('User', ai)
 
+    def testAdmin(self):
+        ei = self.db.security.addPermission(name="Edit", klass="issue",
+                        description="User is allowed to edit issues")
+        self.db.security.addPermissionToRole('User', ei)
+        ei = self.db.security.addPermission(name="Edit", klass=None,
+                        description="User is allowed to edit issues")
+        self.db.security.addPermissionToRole('Admin', ei)
+
+        u1 = self.db.user.create(username='one', roles='Admin')
+        u2 = self.db.user.create(username='two', roles='User')
+
+        self.assert_(self.db.security.hasPermission('Edit', u1, None))
+        self.assert_(not self.db.security.hasPermission('Edit', u2, None))
+
+
     def testGetPermission(self):
         self.db.security.getPermission('Edit')
         self.db.security.getPermission('View')
