merge change to roundup issue tracker reg form

rouilj · rouilj · commit 79a1327030f4 · 2020-02-28T23:06:39.000-05:00
diff --git a/roundup/dehtml.py b/roundup/dehtml.py
@@ -2,6 +2,8 @@
 from __future__ import print_function
 from roundup.anypy.strings import u2s, uchr
 
+import sys
+_pyver = sys.version_info[0]
 
 class dehtml:
     def __init__(self, converter):
@@ -32,12 +34,10 @@ def html2text(html):
                 # Python 3+.
                 from html.parser import HTMLParser
                 from html.entities import name2codepoint
-                pyver = 3
             except ImportError:
                 # Python 2.
                 from HTMLParser import HTMLParser
                 from htmlentitydefs import name2codepoint
-                pyver = 2
 
             class DumbHTMLParser(HTMLParser):
                 # class attribute
@@ -83,7 +83,7 @@ def handle_entityref(self, name):
                         self.text = self.text + ' '
 
             def html2text(html):
-                if pyver == 3:
+                if _pyver == 3:
                     parser = DumbHTMLParser(convert_charrefs=True)
                 else:
                     parser = DumbHTMLParser()
diff --git a/roundup/rest.py b/roundup/rest.py
@@ -473,39 +473,40 @@ def prop_from_arg(self, cl, key, value, itemid=None):
     def transitive_props (self, class_name, props):
         """Construct a list of transitive properties from the given
         argument, and return it after permission check. Raises
-        Unauthorised if no permission. Permission is checked by checking
-        search-permission on the path (delimited by '.') excluding the
-        last component and then checking View permission on the last
-        component. We do not allow to traverse multilinks -- the last
-        item of an expansion *may* be a multilink but in the middle of a
-        transitive prop.
+        Unauthorised if no permission. Permission is checked by
+        checking View permission on each component. We do not allow to
+        traverse multilinks -- the last item of an expansion *may* be a
+        multilink but in the middle of a transitive prop.
         """
         checked_props = []
         uid = self.db.getuid()
         for p in props:
             pn = p
             cn = class_name
             if '.' in p:
-                path, lc = p.rsplit('.', 1)
-                if not self.db.security.hasSearchPermission(uid, class_name, p):
-                    raise (Unauthorised
-                        ('User does not have permission on "%s.%s"'
-                        % (class_name, p)))
-                prev = prop = None
-                # This shouldn't raise any errors, otherwise the search
-                # permission check above would have failed
-                for pn in path.split('.'):
+                prop = None
+                for pn in p.split('.'):
+                    # Tried to dereference a non-Link property
+                    if cn is None:
+                        raise AttributeError("Unknown: %s" % p)
                     cls = self.db.getclass(cn)
-                    prop = cls.getprops(protected=True)[pn]
+                    # This raises a KeyError for unknown prop:
+                    try:
+                        prop = cls.getprops(protected=True)[pn]
+                    except KeyError:
+                        raise AttributeError("Unknown: %s" % p)
                     if isinstance(prop, hyperdb.Multilink):
                         raise UsageError(
                             'Multilink Traversal not allowed: %s' % p)
-                    cn = prop.classname
-                cls = self.db.getclass(cn)
-            # Now we have the classname in cn and the prop name in pn.
-            if not self.db.security.hasPermission('View', uid, cn, pn):
-                raise(Unauthorised
-                    ('User does not have permission on "%s.%s"' % (cn, pn)))
+                    # Now we have the classname in cn and the prop name in pn.
+                    if not self.db.security.hasPermission('View', uid, cn, pn):
+                        raise(Unauthorised
+                            ('User does not have permission on "%s.%s"'
+                            % (cn, pn)))
+                    try:
+                        cn = prop.classname
+                    except AttributeError:
+                        cn = None
             checked_props.append (p)
         return checked_props
 
diff --git a/test/test_templating.py b/test/test_templating.py
@@ -429,11 +429,10 @@ def test_string_markdown_link(self):
         self.assertEqual(p.markdown().strip(), u2s(u'<p>A link <a href="http://localhost">http://localhost</a></p>'))
 
     def test_string_markdown_link(self):
-        # markdown2 and markdown 
+        # markdown2 and markdown escape the email address
         try:
-            import html
-            html_unescape = html.unescape
-        except AttributeError:
+            from html import unescape as html_unescape
+        except ImportError:
             from HTMLParser import HTMLParser
             html_unescape = HTMLParser().unescape
 
