Commits

sislau  committed 64e6be4

fixes #44. Check for permission in frontend view. Hide link to actions that user is not allowed to do in the history and in the rev_navigation

  • Participants
  • Parent commits c36f61f

Comments (0)

Files changed (3)

File MoinMoin/apps/frontend/views.py

         item = Item.create(item_name, rev_id=rev)
     except AccessDenied:
         abort(403)
+    if not flaskg.user.may.write(item_name):
+        abort(403)
     if isinstance(item, NonExistent):
         abort(404, item_name)
     if request.method == 'GET':
         item = Item.create(item_name)
     except AccessDenied:
         abort(403)
+    if not flaskg.user.may.write(item_name):
+        abort(403)
     if isinstance(item, NonExistent):
         abort(404, item_name)
     if request.method == 'GET':
         item = Item.create(item_name)
     except AccessDenied:
         abort(403)
+    if not flaskg.user.may.write(item_name):
+        abort(403)
     if isinstance(item, NonExistent):
         abort(404, item_name)
     if request.method == 'GET':
         item = Item.create(item_name, rev_id=_rev)
     except AccessDenied:
         abort(403)
+    if not flaskg.user.may.destroy(item_name):
+        abort(403)
     if isinstance(item, NonExistent):
         abort(404, item_name)
     if request.method == 'GET':

File MoinMoin/templates/history.html

                 <td><a href="{{ url_for('frontend.show_item_meta', item_name=doc.name, rev=doc.revid) }}">{{ _('meta') }}</a></td>
                 <td><a href="{{ url_for('frontend.download_item', item_name=doc.name, rev=doc.revid) }}">{{ _('download') }}</a></td>
                 <td><a href="{{ url_for('frontend.highlight_item', item_name=doc.name, rev=doc.revid) }}">{{ _('highlight') }}</a></td>
+                {% if user.may.write(item_name) -%}
                 <td><a href="{{ url_for('frontend.revert_item', item_name=doc.name, rev=doc.revid) }}">{{ _('revert') }}</a></td>
+                {%- endif %}
+                {% if user.may.destroy(item_name) -%}
                 <td><a href="{{ url_for('frontend.destroy_item', item_name=doc.name, rev=doc.revid) }}">{{ _('destroy') }}</a></td>
+                {%- endif %}
             </tr>
             {% endfor %}
             {% if bookmark_time %}

File MoinMoin/templates/itemviews.html

                'frontend.highlight_item', 'frontend.show_item_meta', 'frontend.download_item',
                'frontend.history', 'frontend.backrefs', 'frontend.sitemap',
                'frontend.similar_names',
-               'frontend.modify_item',
-               'frontend.copy_item', 'frontend.rename_item', 'frontend.delete_item', 'frontend.destroy_item',
+               'frontend.copy_item',
            ] -%}
             <li>
             <a href="{{ url_for(endpoint, item_name=item_name) }}" title="{{ title }}" rel="nofollow"> {{ label }}</a>
             </li>
         {%- endif %}
 
+		{% if endpoint in [
+            'frontend.modify_item', 'frontend.rename_item', 'frontend.delete_item', 'frontend.rename_item'
+           ] and user.may.write(item_name) -%}
+            <li>
+            <a href="{{ url_for(endpoint, item_name=item_name) }}" title="{{ title }}" rel="nofollow"> {{ label }}</a>
+            </li>
+        {%- endif %}
+        
+        {% if endpoint =='frontend.destroy_item' and user.may.destroy(item_name) -%}
+            <li>
+            <a href="{{ url_for(endpoint, item_name=item_name) }}" title="{{ title }}" rel="nofollow"> {{ label }}</a>
+            </li>
+        {%- endif %}
+
         {% if endpoint in [
             'frontend.global_history', 'frontend.global_index', 'frontend.global_tags',
             'admin.index',