1.1 --- a/MoinForms.py Thu Nov 07 19:16:45 2013 +0100
1.2 +++ b/MoinForms.py Thu Nov 07 19:55:56 2013 +0100
1.3 @@ -426,6 +426,46 @@
1.4 else:
1.5 return Page(self.request, self.pagename).getACL(self.request)
1.6
1.7 + def getSubpageACL(self):
1.8 +
1.9 + """
1.10 + Return the access control list for the form for data that will be
1.11 + stored in subpages. Where no form-specific policy is specified, the
1.12 + page's ACL will be used as the basis of the subpage ACL.
1.13 + """
1.14 +
1.15 + cfg = self.request.cfg
1.16 +
1.17 + acl = self.getACL()
1.18 + new_acl_lines = []
1.19 +
1.20 + for acl_str in acl.acl_lines:
1.21 + new_acl_line = []
1.22 +
1.23 + for op, users, rights in security.ACLStringIterator(cfg.acl_rights_valid, acl_str):
1.24 +
1.25 + # Remove "read" rights unless the "admin" right is also present.
1.26 +
1.27 + if op != "-" and "read" in rights and not "admin" in rights:
1.28 + rights.remove("read")
1.29 +
1.30 + # Add "read" rights if absent and "admin" is present.
1.31 +
1.32 + elif op != "-" and not "read" in rights and "admin" in rights:
1.33 + rights.append("read")
1.34 +
1.35 + new_acl_line.append((op, users, rights))
1.36 +
1.37 + new_acl_lines.append(" ".join([
1.38 + "%s%s:%s" % (op, ",".join(users), ",".join(rights)) for (op, users, rights) in new_acl_line
1.39 + ]))
1.40 +
1.41 + # Add an extra read-disable rule just to make sure.
1.42 +
1.43 + new_acl_lines.append("-All:read")
1.44 +
1.45 + return security.AccessControlList(cfg, new_acl_lines)
1.46 +
1.47 def checkPermissions(self, action):
1.48
1.49 """
1.50 @@ -505,7 +545,7 @@
1.51 # Add an ACL to restrict direct access to subpages.
1.52
1.53 request = self.page.request
1.54 - acl = self.handler.getACL()
1.55 + acl = self.handler.getSubpageACL()
1.56 item = acl.getString() + item
1.57
1.58 ItemStoreBase.append(self, item)