[CMF-checkins] CVS: CMF/CMFCollector/skins/collector - collector_add_issue_form.pt:1.10 collector_issue_edit_form.pt:1.8 collector_issue_followup_form.pt:1.12

Ken Manheimer klm@zope.com
Mon, 29 Oct 2001 12:29:08 -0500 

Update of /cvs-repository/CMF/CMFCollector/skins/collector
In directory cvs.zope.org:/tmp/cvs-serv14809/skins/collector

Modified Files:
	collector_add_issue_form.pt collector_issue_edit_form.pt 
	collector_issue_followup_form.pt 
Log Message:
Protect various forms so only those authorized to submit them can view
them.  I'm using what i think is a neat tal idiom to do so - a span
conditioned to never show, with a define that access (but doesn't
call) the key protected method the form ultimately uses.

This is particularly important in the case of, eg, the issue edit
form, where some potentially confidential data (like the submitter's
email address) is exposed.  (I tried protecting the
CollectorIssue.submitter_email attribute, itself, but that doesn't
seem to work.)


=== CMF/CMFCollector/skins/collector/collector_add_issue_form.pt 1.9 => 1.10 ===
+      tal:define="has_add_priv nocall: here/add_issue">
+  This span ensures that the visitor has edit privilege, by fetching - but not
+  displaying - the protected collector.add_issue method.
+</span>
+
 <html xmlns:tal="http://xml.zope.org/namespaces/tal"
       xmlns:metal="http://xml.zope.org/namespaces/metal"
       metal:use-macro="here/main_template/macros/master">
 
-<span tal:replace="nothing">
+<span tal:condition="nothing">
   Template description: Form for submitting new collector issues.
 </span>
 


=== CMF/CMFCollector/skins/collector/collector_issue_edit_form.pt 1.7 => 1.8 ===
+      tal:define="has_edit_priv nocall: here/edit">
+  This span ensures that the visitor has edit privilege, by fetching - but
+  not displaying - the protected issue.edit method.
+</span>
+
 <html xmlns:tal="http://xml.zope.org/namespaces/tal"
       xmlns:metal="http://xml.zope.org/namespaces/metal"
       metal:use-macro="here/main_template/macros/master">
 <body>
 
-<span tal:replace="nothing">
+<span tal:condition="nothing">
   Template description: Basic view of issue characteristics and transcript.
 </span>
 
 <div metal:fill-slot="header">
 
   <div metal:use-macro="here/collector_macros/macros/issue_header">
-
     ISSUE HEADER
-
   </div>
 
 </div>


=== CMF/CMFCollector/skins/collector/collector_issue_followup_form.pt 1.11 => 1.12 ===
+      tal:define="has_followup_priv nocall: here/do_action">
+  This span ensures that the visitor has edit privilege, by fetching - but
+  not displaying - the protected collector.do_action method.
+</span>
+
 <html xmlns:tal="http://xml.zope.org/namespaces/tal"
       xmlns:metal="http://xml.zope.org/namespaces/metal"
       metal:use-macro="here/main_template/macros/master">
 <body>
 
-<span tal:replace="nothing">
+<span tal:condition="nothing">
   Template description: Form for entering new issue actions.
 </span>