Fix to hasPermission, thanks Stefan Seefeld.

Richard Jones · Richard Jones · commit 3638b2f11324 · 2002-07-29T21:53:29.000Z
diff --git a/doc/customizing.txt b/doc/customizing.txt
@@ -2,19 +2,20 @@
 Customising Roundup
 ===================
 
-:Version: $Revision: 1.12 $
+:Version: $Revision: 1.13 $
 
 .. contents::
 
 
 What You Can Do
 ---------------
 
-Customisation of Roundup can take one of three forms:
+Customisation of Roundup can take one of four forms:
 
 1. `instance configuration`_ file changes
-2. `instance schema`_ changes
+2. database, or `instance schema`_ changes
 3. "definition" class `database content`_ changes
+4. behavioural changes, through detectors_
 
 The third case is special because it takes two distinctly different forms
 depending upon whether the instance has been initialised or not. The other two
@@ -515,7 +516,7 @@ Create a node in the database. This is generally used to create nodes in the
 
 Detectors - adding behaviour to your tracker
 --------------------------------------------
-.. _`detectors`:
+.. _detectors:
 
 The detectors in your instance fire before (*auditors*) and after (*reactors*)
 changes to the contents of your database. They are Python modules that sit in
@@ -537,7 +538,7 @@ ones. The existing detectors installed for you are:
 See the detectors section in the `design document`__ for details of the
 interface for detectors.
 
-__ spec.html
+__ design.html
 
 Sample additional detectors that have been found useful will appear in the
 ``detectors`` directory of the Roundup distribution:
diff --git a/doc/index.txt b/doc/index.txt
@@ -67,7 +67,8 @@ Roch'e Compaan,
 Engelbert Gruber,
 Juergen Hermann,
 Gordon McMillan,
-Patrick Ohly.
+Patrick Ohly,
+Stefan Seefeld.
 
 
 License
diff --git a/roundup/security.py b/roundup/security.py
@@ -78,9 +78,13 @@ def getPermission(self, permission, classname=None):
         '''
         if not self.permission.has_key(permission):
             raise ValueError, 'No permission "%s" defined'%permission
+
+        # look through all the permissions of the given name
         for perm in self.permission[permission]:
+            # if we're passed a classname, the permission must match
             if perm.klass is not None and perm.klass == classname:
                 return perm
+            # otherwise the permission klass must be unset
             elif not perm.klass and not classname:
                 return perm
         raise ValueError, 'No permission "%s" defined for "%s"'%(permission,
@@ -96,9 +100,14 @@ def hasPermission(self, permission, userid, classname=None):
         for rolename in roles.split(','):
             if not rolename:
                 continue
+            # for each of the user's Roles, check the permissions
             for perm in self.role[rolename].permissions:
-                if perm.klass is None or perm.klass == classname:
-                    return 1
+                # permission name match?
+                if perm.name == permission:
+                    # permission klass match?
+                    if perm.klass is None or perm.klass == classname:
+                        # we have a winner
+                        return 1
         return 0
 
     def hasNodePermission(self, classname, nodeid, **propspec):
diff --git a/test/test_security.py b/test/test_security.py
@@ -18,7 +18,7 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 
-# $Id: test_security.py,v 1.2 2002-07-26 08:27:00 richard Exp $
+# $Id: test_security.py,v 1.3 2002-07-29 21:53:29 richard Exp $
 
 import os, unittest, shutil
 
@@ -71,7 +71,9 @@ def testDBinit(self):
 
     def testAccessControls(self):
         self.testDBinit()
-        self.testInitialiseSecurity()
+        ei = self.db.security.addPermission(name="Edit", klass="issue",
+                        description="User is allowed to edit issues")
+        self.db.security.addPermissionToRole('User', ei)
 
         # test class-level access
         userid = self.db.user.lookup('admin')
@@ -84,6 +86,8 @@ def testAccessControls(self):
             'issue'), 1)
         self.assertEquals(self.db.security.hasPermission('Edit', userid,
             'user'), 0)
+        self.assertEquals(self.db.security.hasPermission('View', userid,
+            'issue'), 0)
 
         # test node-level access
         issueid = self.db.issue.create(title='foo', assignedto='admin')
@@ -102,6 +106,11 @@ def suite():
 
 #
 # $Log: not supported by cvs2svn $
+# Revision 1.2  2002/07/26 08:27:00  richard
+# Very close now. The cgi and mailgw now use the new security API. The two
+# templates have been migrated to that setup. Lots of unit tests. Still some
+# issue in the web form for editing Roles assigned to users.
+#
 # Revision 1.1  2002/07/25 07:14:06  richard
 # Bugger it. Here's the current shape of the new security implementation.
 # Still to do:
