Restrict user creation rights in XMLRPC frontend.

Author: stefanseefeld

roundup/xmlrpc.py

@@ -90,6 +90,7 @@ def display(self, designator, *properties):
         return dict(result)
 
     def create(self, classname, *args):
+        
         if not self.db.security.hasPermission('Create', self.db.getuid(), classname):
             raise Unauthorised('Permission to create %s denied'%classname)
 
@@ -103,6 +104,11 @@ def create(self, classname, *args):
         if key and not props.has_key(key):
             raise UsageError, 'you must provide the "%s" property.'%key
 
+        for key in props:
+            if not self.db.security.hasPermission('Edit', self.db.getuid(), classname,
+                                                  property=key):
+                raise Unauthorised('Permission to create %s denied'%classname)
+
         # do the actual create
         try:
             result = cl.create(**props)
@@ -129,7 +135,7 @@ def set(self, designator, *args):
     builtin_actions = {'retire': actions.Retire}
 
     def action(self, name, *args):
-        """"""
+        """Execute a named action."""
 
         if name in self.actions:
             action_type = self.actions[name]