[reledit] fix #713217: reledit doesn't check 'update' permission on attributes stable
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Thu, 18 Feb 2010 15:42:29 +0100
branchstable
changeset 4641 9d8903b04031
parent 4640 1b83a25cf9f5
child 4642 606364845c34
child 4643 921737d2e3a8
[reledit] fix #713217: reledit doesn't check 'update' permission on attributes
web/views/editforms.py
--- a/web/views/editforms.py	Thu Feb 18 15:42:09 2010 +0100
+++ b/web/views/editforms.py	Thu Feb 18 15:42:29 2010 +0100
@@ -307,7 +307,7 @@
         # compute value, checking perms, build form
         if rschema.final:
             form = self._build_form(entity, rtype, role, 'base', default, reload, lzone)
-            if not self.should_edit_attribute(entity, rschema, role, form):
+            if not self.should_edit_attribute(entity, rschema, form):
                 self.w(entity.printable_value(rtype))
                 return
             value = entity.printable_value(rtype) or default
@@ -330,14 +330,17 @@
         self.relation_form(lzone, value, form,
                            self._build_renderer(entity, rtype, role))
 
-    def should_edit_attribute(self, entity, rschema, role, form):
+    def should_edit_attribute(self, entity, rschema, form):
         rtype = str(rschema)
-        ttype = rschema.targets(entity.__regid__, role)[0]
-        afs = uicfg.autoform_section.etype_get(entity.__regid__, rtype, role, ttype)
+        rdef = entity.e_schema.rdef(rtype)
+        afs = uicfg.autoform_section.etype_get(
+            entity.__regid__, rtype, 'subject', rdef.object)
         if 'main_hidden' in afs or not entity.has_perm('update'):
             return False
+        if not rdef.has_perm(self._cw, 'update', eid=entity.eid):
+            return False
         try:
-            form.field_by_name(rtype, role, entity.e_schema)
+            form.field_by_name(rtype, 'subject', entity.e_schema)
         except FieldNotFound:
             return False
         return True