[#6712] Don't balloon ProjectRoles when checking for blocked users
Signed-off-by: Cory Johns <cjohns@slashdotmedia.com>
diff --git a/Allura/allura/lib/security.py b/Allura/allura/lib/security.py
index a211ae2..4e917b6 100644
--- a/Allura/allura/lib/security.py
+++ b/Allura/allura/lib/security.py
@@ -299,10 +299,11 @@
project = project.root_project
roles = cred.user_roles(user_id=user._id, project_id=project._id).reaching_ids
if user != M.User.anonymous():
- user_role = user.project_role(project=project)
- deny_user = M.ACE.deny(user_role._id, permission)
- if M.ACL.contains(deny_user, obj.acl):
- return False
+ user_role = M.ProjectRole.by_user(user, project)
+ if user_role:
+ deny_user = M.ACE.deny(user_role._id, permission)
+ if M.ACL.contains(deny_user, obj.acl):
+ return False
chainable_roles = []
for rid in roles:
for ace in obj.acl: