# HG changeset patch # User Sylvain Thénault # Date 1266504149 -3600 # Node ID 9d8903b0403152552b731380373b2d7c0491c5e7 # Parent 1b83a25cf9f5dbcbeec6332bc17a95f71fea6b2f [reledit] fix #713217: reledit doesn't check 'update' permission on attributes diff -r 1b83a25cf9f5 -r 9d8903b04031 web/views/editforms.py --- a/web/views/editforms.py Thu Feb 18 15:42:09 2010 +0100 +++ b/web/views/editforms.py Thu Feb 18 15:42:29 2010 +0100 @@ -307,7 +307,7 @@ # compute value, checking perms, build form if rschema.final: form = self._build_form(entity, rtype, role, 'base', default, reload, lzone) - if not self.should_edit_attribute(entity, rschema, role, form): + if not self.should_edit_attribute(entity, rschema, form): self.w(entity.printable_value(rtype)) return value = entity.printable_value(rtype) or default @@ -330,14 +330,17 @@ self.relation_form(lzone, value, form, self._build_renderer(entity, rtype, role)) - def should_edit_attribute(self, entity, rschema, role, form): + def should_edit_attribute(self, entity, rschema, form): rtype = str(rschema) - ttype = rschema.targets(entity.__regid__, role)[0] - afs = uicfg.autoform_section.etype_get(entity.__regid__, rtype, role, ttype) + rdef = entity.e_schema.rdef(rtype) + afs = uicfg.autoform_section.etype_get( + entity.__regid__, rtype, 'subject', rdef.object) if 'main_hidden' in afs or not entity.has_perm('update'): return False + if not rdef.has_perm(self._cw, 'update', eid=entity.eid): + return False try: - form.field_by_name(rtype, role, entity.e_schema) + form.field_by_name(rtype, 'subject', entity.e_schema) except FieldNotFound: return False return True