[gen] Bugfix: slave groups; bugfix: security check for pod fields; security bugfix for pod fields: write access to the field is required for performing any freeze-related action; migration to Appy 0.9.0: dump frozen pod fields on disk; repaired test system for Appy 0.9.0; more explicit error message when using, on some field, a specific write or read permission that is not used in the workflow.

2014-05-14 15:10:41 +02:00 · 2014-05-14 15:10:41 +02:00 · b4e6333472
commit b4e6333472
parent 61598b91f7
9 changed files with 66 additions and 39 deletions
--- a/fields/file.py
+++ b/fields/file.py
@ -393,6 +393,7 @@ class File(Field):
            cfg = zobj.getProductConfig()
            if isinstance(value, cfg.FileUpload) or isinstance(value, cfg.File):
                # Cases a, b
+                value.filename = value.filename.replace('/', '-')
                info.writeFile(self.name, value, dbFolder)
            elif isinstance(value, UnmarshalledFile):
                # Case c
--- a/fields/group.py
+++ b/fields/group.py
@ -231,12 +231,12 @@ class UiGroup:

    # PX that renders a group of fields (the group is refered as var "field").
    pxView = Px('''
-     <x var="tagCss=field.master and ('slave_%s_%s' % \
-                    (field.masterName, '_'.join(field.masterValue))) or '';
+     <x var="tagCss=field.master and ('slave*%s*%s' % \
+                    (field.masterName, '*'.join(field.masterValue))) or '';
             widgetCss=field.css_class;
             groupCss=tagCss and ('%s %s' % (tagCss, widgetCss)) or widgetCss;
             tagName=field.master and 'slave' or '';
-             tagId='%s_%s' % (zobj.UID(), field.name)">
+             tagId='%s_%s' % (zobj.id, field.name)">

      <!-- Render the group as a fieldset if required -->
      <fieldset if="field.style == 'fieldset'">
--- a/fields/pod.py
+++ b/fields/pod.py
@ -278,9 +278,9 @@ class Pod(Field):
        template = template or self.template[0]
        format = format or 'odt'
        # Security check.
-        if not noSecurity and not queryData and \
-           not self.showTemplate(obj, template):
-            raise Exception(self.UNAUTHORIZED)
+        if not noSecurity and not queryData:
+            if self.showTemplate and not self.showTemplate(obj, template):
+                raise Exception(self.UNAUTHORIZED)
        # Return the possibly frozen document (not applicable for query-related
        # pods).
        if not queryData:
@ -445,7 +445,9 @@ class Pod(Field):
    def getFreezeFormats(self, obj, template=None):
        '''What are the formats into which the current user may freeze
           p_template?'''
-        # Manager can always perform freeze actions.
+        # One may have the right to edit the field to freeze anything in it.
+        if not obj.o.mayEdit(self.writePermission): return ()
+        # Manager can perform all freeze actions.
        template = template or self.template[0]
        isManager = obj.user.has_role('Manager')
        if isManager: return self.getAllFormats(template)