Fix xmlrpc permissions for lookup method.

schlatterbeck · schlatterbeck · commit 86650572edfe · 2012-10-17T15:32:41.000+02:00
Allow if the key attribute is either searchable or viewable, don't check
id attribute.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -45,6 +45,8 @@ Fixed:
 - Fix basic authentication: instatiating the login action would fail if
   the user is not set. We now first set the user to anonymous and then
   try basic authentication if enabled.
+- Fix xmlrpc permissions for lookup method: Allow if the key attribute
+  is either searchable or viewable, don't check id attribute
 
 
 2012-05-15: 1.4.20
diff --git a/roundup/xmlrpc.py b/roundup/xmlrpc.py
@@ -103,9 +103,11 @@ def lookup(self, classname, key):
         cl = self.db.getclass(classname)
         uid = self.db.getuid()
         prop = cl.getkey()
-        check = self.db.security.hasSearchPermission
-        if not check(uid, classname, 'id') or not check(uid, classname, prop):
-            raise Unauthorised('Permission to search %s denied'%classname)
+        search = self.db.security.hasSearchPermission
+        access = self.db.security.hasPermission
+        if (not search(uid, classname, prop)
+           and not access('View', uid, classname, prop)):
+           raise Unauthorised('Permission to lookup %s denied'%classname)
         return cl.lookup(key)
 
     def display(self, designator, *properties):
