# HG changeset patch
# User raph
# Date 1268318258 -3600
# Node ID e4715ab65e2d74bbbf182710909518edbf24e69f
# Parent  912b4331a1ee7ced9905e492e290481da64ef26d
fix security pb (too restrictive): logged users should inherit anon roles (if no text role is defined)

diff -r 912b4331a1ee -r e4715ab65e2d src/cm/security.py
--- a/src/cm/security.py	Thu Mar 11 09:58:09 2010 +0100
+++ b/src/cm/security.py	Thu Mar 11 15:37:38 2010 +0100
@@ -53,7 +53,11 @@
         if UserRole.objects.filter(Q(user=user),Q(text=text),~Q(role=None)): # if non void local role
             return UserRole.objects.filter(user=user).filter(text=text).filter(Q(role__permissions__codename__exact=perm_name)).count() != 0
         else:
-            return UserRole.objects.filter(user=user).filter(text=None).filter(Q(role__permissions__codename__exact=perm_name)).count() != 0            
+            # local role for anon users
+            # OR global role for anon users
+            # OR global role for this user
+            return UserRole.objects.filter(Q(user=user) | Q(user=None)).filter(Q(text=None) | Q(text=text)).filter(Q(role__permissions__codename__exact=perm_name)).count() != 0            
+            #return UserRole.objects.filter(user=user).filter(text=None).filter(Q(role__permissions__codename__exact=perm_name)).count() != 0
         
 def has_own_perm(request, perm_name, text, comment):