--- a/src/pyams_thesaurus/zmi/thesaurus.py Tue May 16 11:23:23 2017 +0200
+++ b/src/pyams_thesaurus/zmi/thesaurus.py Tue May 16 11:24:06 2017 +0200
@@ -23,7 +23,7 @@
from pyams_skin.interfaces import IPageHeader, IInnerPage
from pyams_skin.interfaces.container import ITableElementName, ITableElementEditor
from pyams_skin.interfaces.viewlet import IToolbarAddingMenu
-from pyams_thesaurus.interfaces import MANAGE_THESAURUS_CONTENT_PERMISSION
+from pyams_thesaurus.interfaces import ADMIN_THESAURUS_PERMISSION, MANAGE_THESAURUS_EXTRACT_PERMISSION
from pyams_thesaurus.interfaces.loader import IThesaurusLoader, IThesaurusUpdaterConfiguration, \
IThesaurusExporterConfiguration, IThesaurusExporter
from pyams_thesaurus.interfaces.thesaurus import IThesaurusInfo, IThesaurus, IThesaurusExtracts
@@ -59,7 +59,7 @@
from pyams_zmi.view import InnerAdminView
from pyramid.events import subscriber
from pyramid.exceptions import NotFound
-from pyramid.httpexceptions import HTTPBadRequest
+from pyramid.httpexceptions import HTTPBadRequest, HTTPUnauthorized
from pyramid.response import Response
from pyramid.url import resource_url
from pyramid.view import view_config
@@ -202,7 +202,7 @@
fields = field.Fields(IThesaurusInfo).select('name', 'title', 'subject', 'description', 'language', 'creator',
'publisher', 'created')
ajax_handler = 'properties.json'
- edit_permission = MANAGE_SYSTEM_PERMISSION
+ edit_permission = ADMIN_THESAURUS_PERMISSION
def updateWidgets(self, prefix=None):
super(ThesaurusPropertiesEditForm, self).updateWidgets(prefix)
@@ -213,7 +213,7 @@
@view_config(name='properties.json', context=IThesaurus, request_type=IPyAMSLayer,
- permission=MANAGE_SYSTEM_PERMISSION, renderer='json', xhr=True)
+ permission=ADMIN_THESAURUS_PERMISSION, renderer='json', xhr=True)
class ThesaurusPropertiesAJAXEditForm(AJAXEditForm, ThesaurusPropertiesEditForm):
"""Thesaurus properties edit form, AJAX view"""
@@ -332,7 +332,7 @@
@view_config(name='switch-extract.json', context=IThesaurus, request_type=IPyAMSLayer,
- permission=MANAGE_THESAURUS_CONTENT_PERMISSION, renderer='json', xhr=True)
+ permission=VIEW_PERMISSION, renderer='json', xhr=True)
def switch_term_extract(request):
"""Term extract switcher"""
label = request.params.get('term')
@@ -346,6 +346,8 @@
extract = IThesaurusExtracts(thesaurus).get(extract_name)
if extract is None:
raise HTTPBadRequest("Extract not found")
+ if not request.has_permission(MANAGE_THESAURUS_EXTRACT_PERMISSION, context=extract):
+ raise HTTPUnauthorized("You are not authorized to update this extract")
if extract.name in (term.extracts or ()):
extract.remove_term(term)
else:
@@ -361,7 +363,7 @@
#
@viewlet_config(name='import.menu', context=IThesaurus, layer=IAdminLayer, manager=IThesaurusTermsMenu,
- permission=MANAGE_SYSTEM_PERMISSION, weight=10)
+ permission=ADMIN_THESAURUS_PERMISSION, weight=10)
class ThesaurusImportMenuItem(MenuItem):
"""Thesaurus import menu"""
@@ -379,7 +381,8 @@
add = button.Button(name='add', title=_("Import terms"))
-@pagelet_config(name='import.html', context=IThesaurus, layer=IPyAMSLayer, permission=MANAGE_SYSTEM_PERMISSION)
+@pagelet_config(name='import.html', context=IThesaurus, layer=IPyAMSLayer,
+ permission=ADMIN_THESAURUS_PERMISSION)
class ThesaurusImportForm(AdminDialogAddForm):
"""Thesaurus import form"""
@@ -420,7 +423,7 @@
@view_config(name='import.json', context=IThesaurus, request_type=IPyAMSLayer,
- permission=MANAGE_SYSTEM_PERMISSION, renderer='json', xhr=True)
+ permission=ADMIN_THESAURUS_PERMISSION, renderer='json', xhr=True)
class ThesaurusImportAJAXForm(AJAXAddForm, ThesaurusImportForm):
"""Thesaurus import form, AJAX view"""
@@ -472,7 +475,7 @@
return exporter.export(self.context, configuration)
-@view_config(name='export.xml', context=IThesaurus, request_type=IPyAMSLayer, permission=MANAGE_SYSTEM_PERMISSION)
+@view_config(name='export.xml', context=IThesaurus, request_type=IPyAMSLayer, permission=VIEW_SYSTEM_PERMISSION)
class ThesaurusExportAJAXForm(AJAXAddForm, ThesaurusExportForm):
"""Thesaurus export form, AJAX view"""