[Plone-cvs] r27687 - in plone.app.portlets/trunk: . docs plone/app/portlets/browser

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Author: hannosch
Date: Sat Jun 27 16:11:42 2009
New Revision: 27687

Modified:
   plone.app.portlets/trunk/   (props changed)
   plone.app.portlets/trunk/docs/HISTORY.txt
   plone.app.portlets/trunk/plone/app/portlets/browser/editmanager.py
Log:
Merged /plone.app.portlets/branches/1.2:r26133


Modified: plone.app.portlets/trunk/docs/HISTORY.txt
==============================================================================

--- plone.app.portlets/trunk/docs/HISTORY.txt	(original)
+++ plone.app.portlets/trunk/docs/HISTORY.txt	Sat Jun 27 16:11:42 2009
@@ -66,6 +66,9 @@
 1.2rc1 - 2009-03-27
 -------------------
 
+- Added a permission check to portlets' add view.
+  Fixes http://dev.plone.org/plone/ticket/8510
+  [optilude]
 
 1.2b1 - 2009-03-07
 ------------------

Modified: plone.app.portlets/trunk/plone/app/portlets/browser/editmanager.py
==============================================================================
--- plone.app.portlets/trunk/plone/app/portlets/browser/editmanager.py	(original)
+++ plone.app.portlets/trunk/plone/app/portlets/browser/editmanager.py	Sat Jun 27 16:11:42 2009
@@ -13,6 +13,7 @@
 from zope.contentprovider.interfaces import UpdateNotCalled
 from zope.publisher.interfaces.browser import IDefaultBrowserLayer
 
+from AccessControl import Unauthorized
 from Acquisition import Explicit, aq_parent, aq_inner
 from Acquisition.interfaces import IAcquirer
  
@@ -140,11 +141,26 @@
         addviewbase = baseUrl.replace(self.context_url(), '')
         def sort_key(v):
             return v.get('title')
+        def check_permission(p):
+            addview = p.addview
+            if not addview:
+                return False
+            
+            addview = "%s/+/%s" % (addviewbase, addview,)
+            if addview.startswith('/'):
+                addview = addview[1:]
+            try:
+                self.context.restrictedTraverse(addview)
+            except (AttributeError, Unauthorized,):
+                return False
+            return True
+        
         portlets =  [{
             'title' : p.title,
             'description' : p.description,
             'addview' : '%s/+/%s' % (addviewbase, p.addview)
-            } for p in self.manager.getAddablePortletTypes()]
+            } for p in self.manager.getAddablePortletTypes() if check_permission(p)]
+        
         portlets.sort(key=sort_key)
         return portlets
 


