@@ -72,7 +72,7 @@ class node. Any parts of other types are each stored in separate files
7272an exception, the original message is bounced back to the sender with the
7373explanatory message given in the exception.
7474
75- $Id: mailgw.py,v 1.159.2.8 2005-09-28 05:49:23 richard Exp $
75+ $Id: mailgw.py,v 1.159.2.9 2006-01-25 03:21:38 richard Exp $
7676"""
7777__docformat__ = 'restructuredtext'
7878
@@ -806,10 +806,14 @@ def handle_message(self, message):
806806 raise Unauthorized , 'You are not permitted to access ' \
807807 'this tracker.'
808808
809- # make sure they're allowed to edit this class of information
810- if not self .db .security .hasPermission ('Edit' , author , classname ):
811- raise Unauthorized , 'You are not permitted to edit %s.' % classname
812-
809+ # make sure they're allowed to edit or create this class of information
810+ if nodeid :
811+ if not self .db .security .hasPermission ('Edit' , author , classname ):
812+ raise Unauthorized , 'You are not permitted to edit %s.' % classname
813+ else :
814+ if not self .db .security .hasPermission ('Create' , author , classname ):
815+ raise Unauthorized , 'You are not permitted to create %s.' % classname
816+
813817 # the author may have been created - make sure the change is
814818 # committed before we reopen the database
815819 self .db .commit ()
@@ -896,6 +900,8 @@ def handle_message(self, message):
896900 if properties .has_key ('files' ):
897901 files = []
898902 for (name , mime_type , data ) in attachments :
903+ if not self .db .security .hasPermission ('Create' , author , 'file' ):
904+ raise Unauthorized , 'You are not permitted to create files.'
899905 if not name :
900906 name = "unnamed"
901907 try :
@@ -906,6 +912,9 @@ def handle_message(self, message):
906912 else :
907913 files .append (fileid )
908914 # attach the files to the issue
915+ if not self .db .security .hasPermission ('Edit' , author , classname , 'files' ):
916+ raise Unauthorized , 'You are not permitted to add files to %s.' % classname
917+
909918 if nodeid :
910919 # extend the existing files list
911920 fileprop = cl .get (nodeid , 'files' )
@@ -919,6 +928,9 @@ def handle_message(self, message):
919928 # create the message if there's a message body (content)
920929 #
921930 if (content and properties .has_key ('messages' )):
931+ if not self .db .security .hasPermission ('Create' , author , 'msg' ):
932+ raise Unauthorized , 'You are not permitted to create messages.'
933+
922934 try :
923935 message_id = self .db .msg .create (author = author ,
924936 recipients = recipients , date = date .Date ('.' ),
@@ -930,6 +942,9 @@ def handle_message(self, message):
930942%s
931943''' % error
932944 # attach the message to the node
945+ if not self .db .security .hasPermission ('Edit' , author , classname , 'messages' ):
946+ raise Unauthorized , 'You are not permitted to add messages to %s.' % classname
947+
933948 if nodeid :
934949 # add the message to the node's list
935950 messages = cl .get (nodeid , 'messages' )
@@ -949,6 +964,12 @@ def handle_message(self, message):
949964 for prop in issue_props .keys () :
950965 if not props .has_key (prop ) :
951966 props [prop ] = issue_props [prop ]
967+
968+ # Check permissions for each property
969+ for prop in props .keys ():
970+ if not self .db .security .hasPermission ('Edit' , author , classname , prop ):
971+ raise Unauthorized , 'You are not permitted to edit property %s of class %s.' % (prop ,classname )
972+
952973 if nodeid :
953974 cl .set (nodeid , ** props )
954975 else :
0 commit comments