# HG changeset patch # User Thierry Florac # Date 1494926646 -7200 # Node ID 01a2ab1f4bd871d5f9dbccffd8f3745cb5b9571f # Parent b10a699c55591cd9aaa7cd632544be4581fee11d Updated permissions diff -r b10a699c5559 -r 01a2ab1f4bd8 src/pyams_thesaurus/zmi/thesaurus.py --- a/src/pyams_thesaurus/zmi/thesaurus.py Tue May 16 11:23:23 2017 +0200 +++ b/src/pyams_thesaurus/zmi/thesaurus.py Tue May 16 11:24:06 2017 +0200 @@ -23,7 +23,7 @@ from pyams_skin.interfaces import IPageHeader, IInnerPage from pyams_skin.interfaces.container import ITableElementName, ITableElementEditor from pyams_skin.interfaces.viewlet import IToolbarAddingMenu -from pyams_thesaurus.interfaces import MANAGE_THESAURUS_CONTENT_PERMISSION +from pyams_thesaurus.interfaces import ADMIN_THESAURUS_PERMISSION, MANAGE_THESAURUS_EXTRACT_PERMISSION from pyams_thesaurus.interfaces.loader import IThesaurusLoader, IThesaurusUpdaterConfiguration, \ IThesaurusExporterConfiguration, IThesaurusExporter from pyams_thesaurus.interfaces.thesaurus import IThesaurusInfo, IThesaurus, IThesaurusExtracts @@ -59,7 +59,7 @@ from pyams_zmi.view import InnerAdminView from pyramid.events import subscriber from pyramid.exceptions import NotFound -from pyramid.httpexceptions import HTTPBadRequest +from pyramid.httpexceptions import HTTPBadRequest, HTTPUnauthorized from pyramid.response import Response from pyramid.url import resource_url from pyramid.view import view_config @@ -202,7 +202,7 @@ fields = field.Fields(IThesaurusInfo).select('name', 'title', 'subject', 'description', 'language', 'creator', 'publisher', 'created') ajax_handler = 'properties.json' - edit_permission = MANAGE_SYSTEM_PERMISSION + edit_permission = ADMIN_THESAURUS_PERMISSION def updateWidgets(self, prefix=None): super(ThesaurusPropertiesEditForm, self).updateWidgets(prefix) @@ -213,7 +213,7 @@ @view_config(name='properties.json', context=IThesaurus, request_type=IPyAMSLayer, - permission=MANAGE_SYSTEM_PERMISSION, renderer='json', xhr=True) + permission=ADMIN_THESAURUS_PERMISSION, renderer='json', xhr=True) class ThesaurusPropertiesAJAXEditForm(AJAXEditForm, ThesaurusPropertiesEditForm): """Thesaurus properties edit form, AJAX view""" @@ -332,7 +332,7 @@ @view_config(name='switch-extract.json', context=IThesaurus, request_type=IPyAMSLayer, - permission=MANAGE_THESAURUS_CONTENT_PERMISSION, renderer='json', xhr=True) + permission=VIEW_PERMISSION, renderer='json', xhr=True) def switch_term_extract(request): """Term extract switcher""" label = request.params.get('term') @@ -346,6 +346,8 @@ extract = IThesaurusExtracts(thesaurus).get(extract_name) if extract is None: raise HTTPBadRequest("Extract not found") + if not request.has_permission(MANAGE_THESAURUS_EXTRACT_PERMISSION, context=extract): + raise HTTPUnauthorized("You are not authorized to update this extract") if extract.name in (term.extracts or ()): extract.remove_term(term) else: @@ -361,7 +363,7 @@ # @viewlet_config(name='import.menu', context=IThesaurus, layer=IAdminLayer, manager=IThesaurusTermsMenu, - permission=MANAGE_SYSTEM_PERMISSION, weight=10) + permission=ADMIN_THESAURUS_PERMISSION, weight=10) class ThesaurusImportMenuItem(MenuItem): """Thesaurus import menu""" @@ -379,7 +381,8 @@ add = button.Button(name='add', title=_("Import terms")) -@pagelet_config(name='import.html', context=IThesaurus, layer=IPyAMSLayer, permission=MANAGE_SYSTEM_PERMISSION) +@pagelet_config(name='import.html', context=IThesaurus, layer=IPyAMSLayer, + permission=ADMIN_THESAURUS_PERMISSION) class ThesaurusImportForm(AdminDialogAddForm): """Thesaurus import form""" @@ -420,7 +423,7 @@ @view_config(name='import.json', context=IThesaurus, request_type=IPyAMSLayer, - permission=MANAGE_SYSTEM_PERMISSION, renderer='json', xhr=True) + permission=ADMIN_THESAURUS_PERMISSION, renderer='json', xhr=True) class ThesaurusImportAJAXForm(AJAXAddForm, ThesaurusImportForm): """Thesaurus import form, AJAX view""" @@ -472,7 +475,7 @@ return exporter.export(self.context, configuration) -@view_config(name='export.xml', context=IThesaurus, request_type=IPyAMSLayer, permission=MANAGE_SYSTEM_PERMISSION) +@view_config(name='export.xml', context=IThesaurus, request_type=IPyAMSLayer, permission=VIEW_SYSTEM_PERMISSION) class ThesaurusExportAJAXForm(AJAXAddForm, ThesaurusExportForm): """Thesaurus export form, AJAX view"""