fix bug introduced into CSV export and view (issue 2550529)

Author: Richard Jones

CHANGES.txt

@@ -1,6 +1,12 @@
 This file contains the changes to the Roundup system over time. The entries
 are given with the most recent entry first.
 
+2009-03-?? 1.4.8
+
+Fixes:
+- bug introduced into CVS export and view
+
+
 2009-03-13 1.4.7 (r4202)
 
 Features:

roundup/cgi/actions.py

@@ -1041,7 +1041,7 @@ def handle(self):
             row = []
             for name in columns:
                 # check permission to view this property on this item
-                if exists and not self.hasPermission('View', itemid=itemid,
+                if not self.hasPermission('View', itemid=itemid,
                         classname=request.classname, property=name):
                     raise exceptions.Unauthorised, self._(
                         'You do not have permission to view %(class)s'

roundup/cgi/templating.py

@@ -624,7 +624,6 @@ def csv(self):
                         classname=self._klass.classname, property=name):
                     raise Unauthorised('view', self._klass.classname,
                         translator=self._client.translator)
-                row.append(str(klass.get(itemid, name)))
                 value = self._klass.get(nodeid, name)
                 if value is None:
                     l.append('')

share/roundup/templates/classic/html/user.index.html

@@ -34,7 +34,7 @@
  <td tal:content="python:user.address.email() or default">&nbsp;</td>
  <td tal:content="python:user.phone.plain() or default">&nbsp;</td>
  <td tal:condition="context/is_retire_ok">
-    <form style="padding:0"
+    <form style="padding:0" method="POST"
           tal:attributes="action string:user${user/id}">
      <input type="hidden" name="@template" value="index">
      <input type="hidden" name="@action" value="retire">

test/test_cgi.py

@@ -10,14 +10,16 @@
 #
 # $Id: test_cgi.py,v 1.36 2008-08-07 06:12:57 richard Exp $
 
-import unittest, os, shutil, errno, sys, difflib, cgi, re
+import unittest, os, shutil, errno, sys, difflib, cgi, re, StringIO
 
 from roundup.cgi import client, actions, exceptions
 from roundup.cgi.exceptions import FormError
 from roundup.cgi.templating import HTMLItem
 from roundup.cgi.form_parser import FormParser
 from roundup import init, instance, password, hyperdb, date
 
+from mocknull import MockNull
+
 import db_test_base
 
 NEEDS_INSTANCE = 1
@@ -614,13 +616,13 @@ def testBackwardsCompat(self):
     # SECURITY
     #
     # XXX test all default permissions
-    def _make_client(self, form, classname='user', nodeid='2', userid='2'):
+    def _make_client(self, form, classname='user', nodeid='1', userid='2'):
         cl = client.Client(self.instance, None, {'PATH_INFO':'/',
             'REQUEST_METHOD':'POST'}, makeForm(form))
         cl.classname = 'user'
-        cl.nodeid = '1'
+        cl.nodeid = nodeid
         cl.db = self.db
-        cl.userid = '2'
+        cl.userid = userid
         cl.language = ('en',)
         return cl
 
@@ -646,6 +648,33 @@ def own_record(db, userid, itemid): return userid == itemid
         self.failUnlessRaises(exceptions.Unauthorised,
             actions.EditItemAction(cl).handle)
 
+    def testCSVExport(self):
+        cl = self._make_client({'@columns': 'id,name'}, nodeid=None,
+            userid='1')
+        cl.classname = 'status'
+        output = StringIO.StringIO()
+        cl.request = MockNull()
+        cl.request.wfile = output
+        actions.ExportCSVAction(cl).handle()
+        self.assertEquals('id,name\r\n1,unread\r\n2,deferred\r\n3,chatting\r\n'
+            '4,need-eg\r\n5,in-progress\r\n6,testing\r\n7,done-cbb\r\n'
+            '8,resolved\r\n',
+            output.getvalue())
+
+    def testCSVExportFailPermission(self):
+        cl = self._make_client({'@columns': 'id,email,password'}, nodeid=None,
+            userid='2')
+        cl.classname = 'user'
+        output = StringIO.StringIO()
+        cl.request = MockNull()
+        cl.request.wfile = output
+        self.assertRaises(exceptions.Unauthorised,
+            actions.ExportCSVAction(cl).handle)
+
+
+def test_suite():
+    suite = unittest.TestSuite()
+
 def test_suite():
     suite = unittest.TestSuite()
     suite.addTest(unittest.makeSuite(FormTestCase))