fix permission handling around rego

Author: Richard Jones

roundup/backends/sessions.py

@@ -1,4 +1,4 @@
-#$Id: sessions.py,v 1.7 2004-02-11 23:55:09 richard Exp $
+#$Id: sessions.py,v 1.8 2004-02-19 02:39:05 richard Exp $
 """This module defines a very basic store that's used by the CGI interface
 to store session and one-time-key information.
 
@@ -59,7 +59,10 @@ def get(self, infoid, value):
     def getall(self, infoid):
         db = self.opendb('c')
         try:
-            return marshal.loads(db[infoid])
+            try:
+                return marshal.loads(db[infoid])
+            except KeyError:
+                raise KeyError, 'No such One Time Key "%s"'%infoid
         finally:
             db.close()
 

roundup/cgi/actions.py

@@ -619,19 +619,17 @@ def handle(self):
             # pull the rego information out of the otk database
             self.userid = self.db.confirm_registration(self.form['otk'].value)
         except (ValueError, KeyError), message:
-            # XXX: we need to make the "default" page be able to display errors!
             self.client.error_message.append(str(message))
             return
 
         # log the new user in
         self.client.user = self.db.user.get(self.userid, 'username')
         # re-open the database for real, using the user
         self.client.opendb(self.client.user)
-        self.db = client.db
 
         # if we have a session, update it
         if hasattr(self, 'session'):
-            self.db.sessions.set(self.session, user=self.user,
+            self.client.db.sessions.set(self.session, user=self.user,
                 last_use=time.time())
         else:
             # new session cookie
@@ -642,7 +640,7 @@ def handle(self):
 
         # redirect to the user's page
         raise Redirect, '%suser%s?@ok_message=%s'%(self.base,
-                                                   self.userid, urllib.quote(message))
+            self.userid, urllib.quote(message))
 
 class RegisterAction(Action):
     name = 'register'
@@ -654,16 +652,18 @@ def handle(self):
 
         Return 1 on successful login.
         """        
-        props = self.client.parsePropsFromForm()[0][('user', None)]
+        props = self.client.parsePropsFromForm(create=1)[0][('user', None)]
 
         # registration isn't allowed to supply roles
         if props.has_key('roles'):
-            raise Unauthorised, _("It is not permitted to supply roles at registration.")            
+            raise Unauthorised, _("It is not permitted to supply roles "
+                "at registration.")            
 
+        username = props['username']
         try:
-            self.db.user.lookup(props['username'])
-            self.client.error_message.append('Error: A user with the username "%s" '
-                'already exists'%props['username'])
+            self.db.user.lookup(username)
+            self.client.error_message.append(_('Error: A user with the '
+                'username "%(username)s" already exists')%props)
             return
         except KeyError:
             pass
@@ -686,7 +686,7 @@ def handle(self):
         # send the email
         tracker_name = self.db.config.TRACKER_NAME
         tracker_email = self.db.config.TRACKER_EMAIL
-        subject = 'Complete your registration to %s -- key %s' % (tracker_name,
+        subject = 'Complete your registration to %s -- key %s'%(tracker_name,
                                                                   otk)
         body = """To complete your registration of the user "%(name)s" with
 %(tracker)s, please do one of the following:

roundup/cgi/templating.py

@@ -205,7 +205,10 @@ class utils(client.instance.interfaces.TemplatingUtils, utils):
                 c['context'] = HTMLItem(client, classname, client.nodeid,
                     anonymous=1)
         elif client.db.classes.has_key(classname):
-            c['context'] = HTMLClass(client, classname, anonymous=1)
+            if classname == 'user':
+                c['context'] = HTMLUserClass(client, classname, anonymous=1)
+            else:
+                c['context'] = HTMLClass(client, classname, anonymous=1)
         return c
 
     def render(self, client, classname, request, **options):
@@ -253,6 +256,8 @@ def __getitem__(self, item, desre=re.compile(r'(?P<cl>\w+)(?P<id>[-\d]+)')):
             return HTMLItem(self._client, m.group('cl'), m.group('id'))
         else:
             self._client.db.getclass(item)
+            if item == 'user':
+                return HTMLUserClass(self._client, item)
             return HTMLClass(self._client, item)
 
     def __getattr__(self, attr):
@@ -264,7 +269,12 @@ def __getattr__(self, attr):
     def classes(self):
         l = self._client.db.classes.keys()
         l.sort()
-        return [HTMLClass(self._client, cn) for cn in l]
+        r = []
+        for item in l:
+            if item == 'user':
+                m.append(HTMLUserClass(self._client, item))
+            m.append(HTMLClass(self._client, item))
+        return r
 
 def lookupIds(db, prop, ids, num_re=re.compile('-?\d+')):
     cl = db.getclass(prop.classname)
@@ -850,7 +860,44 @@ def renderQueryForm(self):
         # use our fabricated request
         return pt.render(self._client, req.classname, req)
 
-class HTMLUser(HTMLItem):
+class HTMLUserPermission:
+
+    def is_edit_ok(self):
+        ''' Is the user allowed to Edit the current class?
+            Also check whether this is the current user's info.
+        '''
+        return self._user_perm_check('Edit')
+
+    def is_view_ok(self):
+        ''' Is the user allowed to View the current class?
+            Also check whether this is the current user's info.
+        '''
+        return self._user_perm_check('View')
+
+    def _user_perm_check(self, type):
+        # some users may view / edit all users
+        s = self._db.security
+        userid = self._client.userid
+        if s.hasPermission(type, userid, self._classname):
+            return 1
+
+        # users may view their own info
+        is_anonymous = self._db.user.get(userid, 'username') == 'anonymous'
+        if getattr(self, '_nodeid', None) == userid and not is_anonymous:
+            return 1
+
+        # may anonymous users register?
+        if (is_anonymous and s.hasPermission('Web Registration', userid,
+                self._classname)):
+            return 1
+
+        # nope, no access here
+        return 0
+
+class HTMLUserClass(HTMLUserPermission, HTMLClass):
+    pass
+
+class HTMLUser(HTMLUserPermission, HTMLItem):
     ''' Accesses through the *user* (a special case of item)
     '''
     def __init__(self, client, classname, nodeid, anonymous=0):
@@ -871,22 +918,6 @@ def hasPermission(self, permission, classname=_marker):
             classname = self._default_classname
         return self._security.hasPermission(permission, self._nodeid, classname)
 
-    def is_edit_ok(self):
-        ''' Is the user allowed to Edit the current class?
-            Also check whether this is the current user's info.
-        '''
-        return self._db.security.hasPermission('Edit', self._client.userid,
-            self._classname) or (self._nodeid == self._client.userid and
-            self._db.user.get(self._client.userid, 'username') != 'anonymous')
-
-    def is_view_ok(self):
-        ''' Is the user allowed to View the current class?
-            Also check whether this is the current user's info.
-        '''
-        return self._db.security.hasPermission('View', self._client.userid,
-            self._classname) or (self._nodeid == self._client.userid and
-            self._db.user.get(self._client.userid, 'username') != 'anonymous')
-
 class HTMLProperty(HTMLInputMixin, HTMLPermissions):
     ''' String, Number, Date, Interval HTMLProperty