From: Hanno S. <svn...@pl...> - 2009-06-27 16:11:47
|
Author: hannosch Date: Sat Jun 27 16:11:42 2009 New Revision: 27687 Modified: plone.app.portlets/trunk/ (props changed) plone.app.portlets/trunk/docs/HISTORY.txt plone.app.portlets/trunk/plone/app/portlets/browser/editmanager.py Log: Merged /plone.app.portlets/branches/1.2:r26133 Modified: plone.app.portlets/trunk/docs/HISTORY.txt ============================================================================== --- plone.app.portlets/trunk/docs/HISTORY.txt (original) +++ plone.app.portlets/trunk/docs/HISTORY.txt Sat Jun 27 16:11:42 2009 @@ -66,6 +66,9 @@ 1.2rc1 - 2009-03-27 ------------------- +- Added a permission check to portlets' add view. + Fixes http://dev.plone.org/plone/ticket/8510 + [optilude] 1.2b1 - 2009-03-07 ------------------ Modified: plone.app.portlets/trunk/plone/app/portlets/browser/editmanager.py ============================================================================== --- plone.app.portlets/trunk/plone/app/portlets/browser/editmanager.py (original) +++ plone.app.portlets/trunk/plone/app/portlets/browser/editmanager.py Sat Jun 27 16:11:42 2009 @@ -13,6 +13,7 @@ from zope.contentprovider.interfaces import UpdateNotCalled from zope.publisher.interfaces.browser import IDefaultBrowserLayer +from AccessControl import Unauthorized from Acquisition import Explicit, aq_parent, aq_inner from Acquisition.interfaces import IAcquirer @@ -140,11 +141,26 @@ addviewbase = baseUrl.replace(self.context_url(), '') def sort_key(v): return v.get('title') + def check_permission(p): + addview = p.addview + if not addview: + return False + + addview = "%s/+/%s" % (addviewbase, addview,) + if addview.startswith('/'): + addview = addview[1:] + try: + self.context.restrictedTraverse(addview) + except (AttributeError, Unauthorized,): + return False + return True + portlets = [{ 'title' : p.title, 'description' : p.description, 'addview' : '%s/+/%s' % (addviewbase, p.addview) - } for p in self.manager.getAddablePortletTypes()] + } for p in self.manager.getAddablePortletTypes() if check_permission(p)] + portlets.sort(key=sort_key) return portlets |