add permission filter to menu() implementations [SF#1431188]

Alexander Smishlajev · Alexander Smishlajev · commit 387844416646 · 2006-02-14T06:13:19.000Z
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -8,6 +8,7 @@ Fixed:
   (sf bug 1429669)
 - error in link property lookups with numeric-alike key values (sf bug 1424550)
 - ignore UTF-8 BOM in .po files
+- add permission filter to menu() implementations (sf bug 1431188)
 
 
 2006-02-10 1.1.0
diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py
@@ -1757,7 +1757,10 @@ def menu(self, size=None, height=None, showid=0, additional=[], value=None,
         else:
             sort_on = ('+', find_sort_key(linkcl))
 
-        options = linkcl.filter(None, conditions, sort_on, (None, None))
+        options = [opt
+            for opt in linkcl.filter(None, conditions, sort_on, (None, None))
+            if self._db.security.hasPermission("View", self._client.userid,
+                linkcl.classname, itemid=id)]
 
         # make sure we list the current value if it's retired
         if value and value not in options:
@@ -1940,7 +1943,10 @@ def menu(self, size=None, height=None, showid=0, additional=[],
         else:
             sort_on = ('+', find_sort_key(linkcl))
 
-        options = linkcl.filter(None, conditions, sort_on)
+        options = [opt
+            for opt in linkcl.filter(None, conditions, sort_on)
+            if self._db.security.hasPermission("View", self._client.userid,
+                linkcl.classname, itemid=id)]
         height = height or min(len(options), 7)
         l = ['<select multiple name="%s" size="%s">'%(self._formname, height)]
         k = linkcl.labelprop(1)
