1- #$Id: actions.py,v 1.40 2004-11-23 22:45:13 richard Exp $
1+ #$Id: actions.py,v 1.40.2.1 2004-12-15 00:03:36 richard Exp $
22
33import re , cgi , StringIO , urllib , Cookie , time , random
44
@@ -59,12 +59,12 @@ def permission(self):
5959 '%(action)s the %(classname)s class.' )% info
6060
6161 _marker = []
62- def hasPermission (self , permission , classname = _marker ):
62+ def hasPermission (self , permission , classname = _marker , itemid = None ):
6363 """Check whether the user has 'permission' on the current class."""
6464 if classname is self ._marker :
6565 classname = self .client .classname
6666 return self .db .security .hasPermission (permission , self .client .userid ,
67- classname )
67+ classname = classname , itemid = itemid )
6868
6969 def gettext (self , msgid ):
7070 """Return the localized translation of msgid"""
@@ -158,9 +158,16 @@ def handle(self):
158158 # edit the old way, only one query per name
159159 try :
160160 qid = self .db .query .lookup (queryname )
161+ if not self .hasPermission ('Edit' , self .classname ,
162+ itemid = qid ):
163+ raise exceptions .Unauthorised , self ._ (
164+ "You do not have permission to edit queries" )
161165 self .db .query .set (qid , klass = self .classname , url = url )
162166 except KeyError :
163167 # create a query
168+ if not self .hasPermission ('Create' , self .classname ):
169+ raise exceptions .Unauthorised , self ._ (
170+ "You do not have permission to store queries" )
164171 qid = self .db .query .create (name = queryname ,
165172 klass = self .classname , url = url )
166173 else :
@@ -180,9 +187,16 @@ def handle(self):
180187 for qid in qids :
181188 if queryname != self .db .query .get (qid , 'name' ):
182189 continue
190+ if not self .hasPermission ('Edit' , self .classname ,
191+ itemid = qid ):
192+ raise exceptions .Unauthorised , self ._ (
193+ "You do not have permission to edit queries" )
183194 self .db .query .set (qid , klass = self .classname , url = url )
184195 else :
185196 # create a query
197+ if not self .hasPermission ('Create' , self .classname ):
198+ raise exceptions .Unauthorised , self ._ (
199+ "You do not have permission to store queries" )
186200 qid = self .db .query .create (name = queryname ,
187201 klass = self .classname , url = url , private_for = uid )
188202
@@ -468,7 +482,7 @@ def editItemPermission(self, props):
468482 "You do not have permission to edit user roles" )
469483 if self .isEditingSelf ():
470484 return 1
471- if self .hasPermission ('Edit' ):
485+ if self .hasPermission ('Edit' , itemid = self . nodeid ):
472486 return 1
473487 return 0
474488
0 commit comments