Issue 2550812
Created on 2013-05-22 17:14 by MichaelChou, last changed 2014-03-31 18:54 by schlatterbeck.
|
| msg4900 |
Author: [hidden] (MichaelChou) |
Date: 2013-05-22 17:14 |
|
In schema.py, I changed this:
db.security.addPermissionToRole('User', 'View', 'issue')
to this:
def own_issue(db, userid, itemid):
return userid == db.issue.get(itemid, 'creator')
p = db.security.addPermission(name='View', klass='issue',
check=own_issue)
db.security.addPermissionToRole('User', p)
After this change, I found filter(filterspec, sort, group) stoped
working in issue.index, listing all issue that current user created,
regardless the filter applied in URL. This only affects User Role, while
Admin Role has no problem.
I put this:
<span tal:content="request/filterspec"></span>
<span tal:content="request/group"></span>
<span tal:content="request/sort"></span>
in issue.index.html.
And I saw empty value in the not-working case mentioned above.
So issue.index.html doesn't get these value.
|
| msg5052 |
Author: [hidden] (schlatterbeck) |
Date: 2014-03-31 18:54 |
|
This is because search permissions in roundup are different from view
permissions. By default a view permission *without* a check function (as
in the statement you removed from schema.py) also automatically creates
a search permission. But if you have a check function you have to add a
search permission like so:
db.security.addPermissionToRole('User', 'Search', 'issue)
after this you should be able to search again. The restriction is there
so that users restricted by a check function can't circumvent the view
permission by specifying search conditions that give them information
about certain restricted properties. This security concern does not
apply to your check function but this cannot be determined automatically.
|
|
| Date |
User |
Action |
Args |
| 2014-03-31 18:54:01 | schlatterbeck | set | status: new -> closed
resolution: works for me
messages:
+ msg5052
nosy:
+ schlatterbeck |
| 2013-05-22 17:14:05 | MichaelChou | create | |
|