merge from HEAD

Author: Richard Jones

CHANGES.txt

@@ -8,6 +8,7 @@ Fixed:
 - fix typo (sf patch 1076629)
 - fix hyperlinking of items (sf bug 1080251)
 - fix roundup-admin find command handling of Multilinks
+- fix some security assertions (sf bug 1085481)
 
 
 2004-10-26 0.7.9

roundup/cgi/actions.py

@@ -1,4 +1,4 @@
-#$Id: actions.py,v 1.27.2.7 2004-12-07 23:31:00 richard Exp $
+#$Id: actions.py,v 1.27.2.8 2004-12-15 00:07:58 richard Exp $
 
 import re, cgi, StringIO, urllib, Cookie, time, random
 
@@ -127,6 +127,8 @@ def handle(self, wcre=re.compile(r'[\s,]+')):
 
         # handle saving the query params
         if queryname:
+            if not self.hasPermission('Edit', 'query'):
+                raise Unauthorised, _("You do not have permission to edit queries")
             # parse the environment and figure what the query _is_
             req = templating.HTMLRequest(self.client)
 

templates/classic/html/issue.search.html

@@ -175,7 +175,7 @@
 </td>
 </tr>
 
-<tr>
+<tr tal:condition="python:request.user.hasPermission('Edit', 'query')">
 <th>Query name**:</th>
 <td><input name="@queryname"
            tal:attributes="value request/form/@queryname/value | default"></td>

templates/classic/html/page.html

@@ -25,7 +25,8 @@ <h2><span metal:define-slot="body_title">body title</span></h2>
 
 <tr>
  <td rowspan="2" valign="top" class="sidebar">
-  <p class="classblock">
+  <p class="classblock"
+     tal:condition="python:request.user.hasPermission('View', 'query')">
    <b>Your Queries</b> (<a href="query?@template=edit">edit</a>)<br>
    <tal:block tal:repeat="qs request/user/queries">
     <a tal:attributes="href string:${qs/klass}?${qs/url}"