Issue 1045276
Created on 2004-10-12 12:16 by don_fu, last changed 2004-10-13 06:02 by a1s.
|
| File name |
Uploaded |
Description |
Edit |
Remove |
|
patch.txt
|
don_fu,
2004-10-12 12:16
|
|
|
|
|
| msg1472 |
Author: [hidden] (don_fu) |
Date: 2004-10-12 12:16 |
|
When conducting a search, all matching items are
returned. This leads to problems when displaying the
search result to a user, that does not have permission
to view all items. While items can be filtered in the
output template, the filtering should take place in the
core, so that hit-counts are also displayed correctly.
The proposed patch adds a method filterByPermission to
security.py, that takes a list of itemids and returns a
list of itemids that the user is allowed to act upon.
filterByPermission is used in HtmlRequest.batch() to
reduce the resultset.
|
| msg1473 |
Author: [hidden] (richard) |
Date: 2004-10-12 23:43 |
|
Logged In: YES
user_id=6405
A problem with this is that the index page might still raise a
permission error when it tries to display information attached to
an issue that the user doesn't have permission to view -
something we can't really test for just by generically testing
view permission on the issues.
That is, they have permission to view some issues, but for some
reason aren't allowed to view the username of the users
assigned to the issues.
|
| msg1474 |
Author: [hidden] (a1s) |
Date: 2004-10-13 06:02 |
|
Logged In: YES
user_id=8719
i agree with fu that the batches should be filtered by
item-level permissions.
values and entry fields for disallowed attributes should be
blanked out by html rendering. or perhaps replaced with
some unavailability indicator, e.g. '<font
color="#ff0000"><strong>N/A</strong></font>'.
|
|
| Date |
User |
Action |
Args |
| 2004-10-12 12:16:56 | don_fu | create | |
|