[gen] Bugfix: slave groups; bugfix: security check for pod fields; security bugfix for pod fields: write access to the field is required for performing any freeze-related action; migration to Appy 0.9.0: dump frozen pod fields on disk; repaired test system for Appy 0.9.0; more explicit error message when using, on some field, a specific write or read permission that is not used in the workflow.

2014-05-14 15:10:41 +02:00 · 2014-05-14 15:10:41 +02:00 · b4e6333472
commit b4e6333472
parent 61598b91f7
9 changed files with 66 additions and 39 deletions
--- a/fields/pod.py
+++ b/fields/pod.py
@ -278,9 +278,9 @@ class Pod(Field):
        template = template or self.template[0]
        format = format or 'odt'
        # Security check.
-        if not noSecurity and not queryData and \
-           not self.showTemplate(obj, template):
-            raise Exception(self.UNAUTHORIZED)
+        if not noSecurity and not queryData:
+            if self.showTemplate and not self.showTemplate(obj, template):
+                raise Exception(self.UNAUTHORIZED)
        # Return the possibly frozen document (not applicable for query-related
        # pods).
        if not queryData:
@ -445,7 +445,9 @@ class Pod(Field):
    def getFreezeFormats(self, obj, template=None):
        '''What are the formats into which the current user may freeze
           p_template?'''
-        # Manager can always perform freeze actions.
+        # One may have the right to edit the field to freeze anything in it.
+        if not obj.o.mayEdit(self.writePermission): return ()
+        # Manager can perform all freeze actions.
        template = template or self.template[0]
        isManager = obj.user.has_role('Manager')
        if isManager: return self.getAllFormats(template)