New predicate for read rights

pboard/pboard/controllers/root.py

@@ -6,6 +6,7 @@ import tg
 from tg import expose, flash, require, url, lurl, request, redirect, tmpl_context
 from tg.i18n import ugettext as _, lazy_ugettext as l_
 from tg import predicates
+from pboard.lib.auth import can_read
 
 import tgext.admin.tgadminconfig as tgat
 import tgext.admin.controller as tgac
@@ -113,7 +114,8 @@ class RootController(BaseController):
 
 
     @expose('pboard.templates.document')
-    @require(predicates.in_group('user', msg=l_('Please login to access this page')))
+    #@require(predicates.in_group('user', msg=l_('Please login to access this page')))
+    @require(can_read())
     def document(self, node=0, version=0, came_from=lurl('/'), highlight=''):
         """show the user dashboard"""
         loCurrentUser   = pld.PODStaticController.getCurrentUser()

pboard/pboard/lib/auth.py

@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+"""Predicates for authorizations"""
+from tg.predicates import Predicate
+from pboard.model import DBSession as session
+from pboard.model.auth import Permission, User
+
+class can_read(Predicate):
+    message = ""
+
+    def __init__(self, **kwargs):
+        pass
+
+    def evaluate(self, environ, credentials):
+        node_id = environ['webob.adhoc_attrs']['validation']['values']['node']
+        has_right = session.execute("""
+                select *
+                from pod_group_node pgn
+                join pod_user_group pug on pug.group_id = pgn.group_id
+                join pod_user pu on pug.user_id = pu.user_id
+                where rights > 0
+                and email_address = :mail
+                and node_id = :node""", {"mail":credentials["repoze.who.userid"], "node":node_id})
+        if has_right.rowcount == 0 :
+            self.unmet()