enable editing of public queries [SF#966144]

Author: Richard Jones

CHANGES.txt

@@ -44,6 +44,7 @@ Fixed:
   when editing is not allowed
 - fix StructuredText import in cgi.templating
 - have "System Messages" be marked as such again (sf bug 1281907)
+- enable editing of public queries (sf bug 966144)
 
 
 2005-10-07 0.9.0b1

doc/upgrading.txt

@@ -13,10 +13,44 @@ steps.
 
 .. contents::
 
-Migrating from 0.8.x to 0.9.0
-=============================
+Migrating from 0.8.x to 1.0
+===========================
+
+1.0 New Query Permissions
+-------------------------
 
-No upgrade steps are required.
+New permissions are defined for query editing and viewing. To include these
+in your tracker, you need to add these lines to your tracker's
+``schema.py``::
+
+ # Users should be able to edit and view their own queries. They should also
+ # be able to view any marked as not private. They should not be able to
+ # edit others' queries, even if they're not private
+ def view_query(db, userid, itemid):
+     private_for = db.query.get(itemid, 'private_for')
+     if not private_for: return True
+     return userid == private_for
+ def edit_query(db, userid, itemid):
+     return userid == db.query.get(itemid, 'creator')
+ p = db.security.addPermission(name='View', klass='query', check=view_query,
+     description="User is allowed to view their own and public queries")
+ db.security.addPermissionToRole('User', p)
+ p = db.security.addPermission(name='Edit', klass='query', check=edit_query,
+     description="User is allowed to edit their queries")
+ db.security.addPermissionToRole('User', p)
+ p = db.security.addPermission(name='Create', klass='query',
+     description="User is allowed to create queries")
+ db.security.addPermissionToRole('User', p)
+
+and then remove 'query' from the line::
+
+ # Assign the access and edit Permissions for issue, file and message
+ # to regular users now
+ for cl in 'issue', 'file', 'msg', 'query', 'keyword':
+
+so it looks like::
+
+ for cl in 'issue', 'file', 'msg', 'keyword':
 
 
 Migrating from 0.8.0 to 0.8.3

roundup/cgi/actions.py

@@ -1,4 +1,4 @@
-#$Id: actions.py,v 1.55 2006-01-25 03:14:40 richard Exp $
+#$Id: actions.py,v 1.56 2006-01-27 03:30:38 richard Exp $
 
 import re, cgi, StringIO, urllib, Cookie, time, random, csv, codecs
 
@@ -148,6 +148,12 @@ def handle(self):
         """
         self.fakeFilterVars()
         queryname = self.getQueryName()
+    
+        # editing existing query name?
+        old_queryname = ''
+        for key in ('@old-queryname', ':old-queryname'):
+            if self.form.has_key(key):
+                old_queryname = self.form[key].value.strip()
 
         # handle saving the query params
         if queryname:
@@ -162,7 +168,7 @@ def handle(self):
             if key:
                 # edit the old way, only one query per name
                 try:
-                    qid = self.db.query.lookup(queryname)
+                    qid = self.db.query.lookup(old_queryname)
                     if not self.hasPermission('Edit', 'query', itemid=qid):
                         raise exceptions.Unauthorised, self._(
                             "You do not have permission to edit queries")
@@ -178,23 +184,24 @@ def handle(self):
                 # edit the new way, query name not a key any more
                 # see if we match an existing private query
                 uid = self.db.getuid()
-                qids = self.db.query.filter(None, {'name': queryname,
+                qids = self.db.query.filter(None, {'name': old_queryname,
                         'private_for': uid})
                 if not qids:
                     # ok, so there's not a private query for the current user
-                    # - see if there's a public one created by them
-                    qids = self.db.query.filter(None, {'name': queryname,
-                        'private_for': -1, 'creator': uid})
+                    # - see if there's one created by them
+                    qids = self.db.query.filter(None, {'name': old_queryname,
+                        'creator': uid})
 
                 if qids:
                     # edit query - make sure we get an exact match on the name
                     for qid in qids:
-                        if queryname != self.db.query.get(qid, 'name'):
+                        if old_queryname != self.db.query.get(qid, 'name'):
                             continue
                         if not self.hasPermission('Edit', 'query', itemid=qid):
                             raise exceptions.Unauthorised, self._(
                             "You do not have permission to edit queries")
-                        self.db.query.set(qid, klass=self.classname, url=url)
+                        self.db.query.set(qid, klass=self.classname,
+                            url=url, name=queryname)
                 else:
                     # create a query
                     if not self.hasPermission('Create', 'query'):
@@ -239,10 +246,9 @@ def fakeFilterVars(self):
 
             self.form.value.append(cgi.MiniFieldStorage('@filter', key))
 
-    FV_QUERYNAME = re.compile(r'[@:]queryname')
     def getQueryName(self):
-        for key in self.form.keys():
-            if self.FV_QUERYNAME.match(key):
+        for key in ('@queryname', ':queryname'):
+            if self.form.has_key(key):
                 return self.form[key].value.strip()
         return ''
 

templates/classic/html/issue.search.html

@@ -189,9 +189,11 @@
 </tr>
 
 <tr tal:condition="python:request.user.hasPermission('Edit', 'query')">
-<th i18n:translate="">Query name**:</th>
-<td><input name="@queryname"
-           tal:attributes="value request/form/@queryname/value | default"></td>
+ <th i18n:translate="">Query name**:</th>
+ <td tal:define="value request/form/@queryname/value | nothing">
+  <input name="@queryname" tal:attributes="value value">
+  <input type="hidden" name="@old-queryname" tal:attributes="value value">
+ </td>
 </tr>
 
 <tr>

templates/classic/html/query.edit.html

@@ -87,13 +87,19 @@
         tal:content="query/name">query</a></td>
 
  <td metal:use-macro="template/macros/include" />
- <td colspan="3" i18n:translate="">[not yours to edit]</td>
+
+ <td colspan="3" tal:condition="query/is_edit_ok">
+  <a tal:attributes="href string:query${query/id}" i18n:translate="">edit</a>
+ </td>
+ <td tal:condition="not:query/is_edit_ok" colspan="3"
+    i18n:translate="">[not yours to edit]</td>
+
 </tr>
 
 <tr><td colspan="5">
-        <input type="hidden" name="@action" value="edit">
-        <input type="hidden" name="@template" value="edit">
-        <input type="submit" value="Save Selection" i18n:attributes="value">
+   <input type="hidden" name="@action" value="edit">
+   <input type="hidden" name="@template" value="edit">
+   <input type="submit" value="Save Selection" i18n:attributes="value">
 </td></tr>
 
 </table>

templates/classic/schema.py

@@ -90,7 +90,7 @@
 
 # Assign the access and edit Permissions for issue, file and message
 # to regular users now
-for cl in 'issue', 'file', 'msg', 'query', 'keyword':
+for cl in 'issue', 'file', 'msg', 'keyword':
     db.security.addPermissionToRole('User', 'View', cl)
     db.security.addPermissionToRole('User', 'Edit', cl)
     db.security.addPermissionToRole('User', 'Create', cl)
@@ -113,6 +113,26 @@ def own_record(db, userid, itemid):
     description="User is allowed to edit their own user details")
 db.security.addPermissionToRole('User', p)
 
+# Users should be able to edit and view their own queries. They should also
+# be able to view any marked as not private. They should not be able to
+# edit others' queries, even if they're not private
+def view_query(db, userid, itemid):
+    private_for = db.query.get(itemid, 'private_for')
+    if not private_for: return True
+    return userid == private_for
+def edit_query(db, userid, itemid):
+    return userid == db.query.get(itemid, 'creator')
+p = db.security.addPermission(name='View', klass='query', check=view_query,
+    description="User is allowed to view their own and public queries")
+db.security.addPermissionToRole('User', p)
+p = db.security.addPermission(name='Edit', klass='query', check=edit_query,
+    description="User is allowed to edit their queries")
+db.security.addPermissionToRole('User', p)
+p = db.security.addPermission(name='Create', klass='query',
+    description="User is allowed to create queries")
+db.security.addPermissionToRole('User', p)
+
+
 #
 # ANONYMOUS USER PERMISSIONS
 #