Bug in context/properties, lists properties user can't search.
In templating.py the method properties() (used as context/properties
in templates) returns the properties of the class. It is used to
create the select dropdowns for sorting and grouping on index pages.
However it returns all properties and doesn't check to see if the user
can actually search that property.
I have changed it to read:
def properties(self, sort=1, cansearch=True): # added cansearch arg
""" Return HTMLProperty for allowed class' properties.
l = 
for name, prop in self._props.items():
# added next three lines
if cansearch and \
not canSearch(userid, self._classname, name):
for klass, htmlklass in propclasses:
if isinstance(prop, klass):
value = prop.get_default_value()
l.append(htmlklass(self._client, self._classname, '',
prop, name, value, self._anonymous))
l.sort(lambda a,b:cmp(a._name, b._name))
The additions verify that the userid has access to the property "name"
in the class. This is the default mode, but can be switched off if
needed by referencing it as:
in the templates. Does anybody have any comments on this? Are there
any cases where this maybe a problem?
For a little background, the Anonymous user in my tracker can search
for a subset of the issue properties. This doesn't include the
activity or creator fields. However on the issue index page, I was
able to choose sort by activity. But it didn't actually work since the
user can't search by activity (it sorted by id). With the patch above,
the unsearchable fields are not displayed in the select boxes for sort
Have a great week all.
My employers don't acknowledge my existence much less my opinions.