Quantcast

Bug in context/properties, lists properties user can't search.

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Bug in context/properties, lists properties user can't search.

John P. Rouillard
Hi all:

In templating.py the method properties() (used as context/properties
in templates) returns the properties of the class. It is used to
create the select dropdowns for sorting and grouping on index pages.

However it returns all properties and doesn't check to see if the user
can actually search that property.

I have changed it to read:

    def properties(self, sort=1, cansearch=True): # added cansearch arg
        """ Return HTMLProperty for allowed class' properties.
        """
        l = []
        canSearch=self._db.security.hasSearchPermission
        userid=self._db.getuid()
        for name, prop in self._props.items():
            # added next three lines
            if cansearch and \
               not canSearch(userid, self._classname, name):
                continue
            for klass, htmlklass in propclasses:
                if isinstance(prop, klass):
                    value = prop.get_default_value()
                    l.append(htmlklass(self._client, self._classname, '',
                                       prop, name, value, self._anonymous))
        if sort:
            l.sort(lambda a,b:cmp(a._name, b._name))
        return l

The additions verify that the userid has access to the property "name"
in the class. This is the default mode, but can be switched off if
needed by referencing it as:

    python:context.properties(cansearch=False)

in the templates. Does anybody have any comments on this? Are there
any cases where this maybe a problem?

For a little background, the Anonymous user in my tracker can search
for a subset of the issue properties. This doesn't include the
activity or creator fields. However on the issue index page, I was
able to choose sort by activity. But it didn't actually work since the
user can't search by activity (it sorted by id). With the patch above,
the unsearchable fields are not displayed in the select boxes for sort
or group.

Have a great week all.

--

                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-devel
Loading...