Merge branch 'master' of bitbucket.org:lebouquetin/protov1

pboard/pboard/controllers/api.py

         loUserSpecificGroup = pld.PODStaticController.createGroup()
 
         loUserSpecificGroup.group_id = 0-loNewAccount.user_id # group id of a given user is the opposite of the user id
-        loUserSpecificGroup.group_name = ''
+        loUserSpecificGroup.group_name = 'user_%d' % loNewAccount.user_id
         loUserSpecificGroup.personnal_group = True
         loUserSpecificGroup.users.append(loNewAccount)
 

pboard/pboard/controllers/root.py

             current_node=loCurrentNode,
             node_status_list = loNodeStatusList,
             keywords = highlight,
-            user_specific_groups = pld.PODStaticController.getUserSpecificGroups(),
-            real_groups = pld.PODStaticController.getRealGroups()
+            user_specific_group_rights = pld.PODStaticController.getUserDedicatedGroupRightsOnNode(node_id),
+            real_group_rights = pld.PODStaticController.getRealGroupRightsOnNode(node_id)
         )
 
     @expose('pboard.templates.search')

pboard/pboard/lib/auth.py

 from tg.predicates import Predicate
 from pboard.model import DBSession as session
 from pboard.model.auth import Permission, User
+import logging as l
+
+DIRTY_canReadOrCanWriteSqlQuery = """
+SELECT
+    node_id
+FROM
+    pod_group_node AS pgn
+    join pod_user_group AS pug on pug.group_id = pgn.group_id
+    join pod_user AS pu ON pug.user_id = pu.user_id
+WHERE
+    rights > :excluded_right_low_level
+    AND email_address = :email
+    AND node_id = :node_id
+UNION
+    SELECT
+        node_id
+    FROM
+        pod_nodes AS pnn,
+        pod_user AS puu
+    WHERE
+        pnn.node_id = :node_id
+        AND pnn.owner_id = puu.user_id
+        AND puu.email_address = :email
+"""
 
 class can_read(Predicate):
     message = ""
         if 'node_id' in environ['webob.adhoc_attrs']['validation']['values']:
             node_id = environ['webob.adhoc_attrs']['validation']['values']['node_id']
             if node_id!=0:
-                has_right = session.execute("""
-                    select
-                        node_id
-                    from
-                        pod_group_node pgn
-                        join pod_user_group pug on pug.group_id = pgn.group_id
-                        join pod_user pu on pug.user_id = pu.user_id
-                    where
-                        rights > 0
-                        and email_address = :mail
-                        and node_id = :node
-                    union
-                        select
-                            node_id
-                        from
-                            pod_nodes
-                        where
-                            node_id = :node
-                        """, {"mail":credentials["repoze.who.userid"], "node":node_id})
+                has_right = session.execute(
+                    DIRTY_canReadOrCanWriteSqlQuery,
+                    {"email":credentials["repoze.who.userid"], "node_id":node_id, "excluded_right_low_level": 0}
+                )
                 if has_right.rowcount == 0 :
+                    l.info("User {} don't have read right on node {}".format(credentials["repoze.who.userid"], node_id))
                     self.unmet()
 
 class can_write(Predicate):
         if 'node_id' in environ['webob.adhoc_attrs']['validation']['values']:
             node_id = environ['webob.adhoc_attrs']['validation']['values']['node_id']
             if node_id!=0:
-                has_right = session.execute("""
-                        select
-                            node_id
-                        from
-                            pod_group_node pgn
-                            join pod_user_group pug on pug.group_id = pgn.group_id
-                            join pod_user pu on pug.user_id = pu.user_id
-                        where
-                            rights > 1
-                            and email_address = :mail
-                            and node_id = :node
-                        union
-                            select
-                                node_id
-                            from
-                                pod_nodes
-                            where
-                                node_id = :node
-                        """, {"mail":credentials["repoze.who.userid"], "node":node_id})
+                has_right = session.execute(
+                    DIRTY_canReadOrCanWriteSqlQuery,
+                    {"email":credentials["repoze.who.userid"], "node_id":node_id, "excluded_right_low_level": 1}
+                )
                 if has_right.rowcount == 0 :
                     self.unmet()
 

pboard/pboard/lib/dbapi.py

     return loGroups
 
   @classmethod
-  def getUserSpecificGroups(cls):
-    return DBSession.query(pbma.Group).filter(pbma.Group.personnal_group==True).all()
+  def getRealGroupRightsOnNode(cls, piNodeId: int) -> pbmd.DIRTY_GroupRightsOnNode:
+
+    groupRightsOnNodeCustomSelect = DBSession\
+        .query(pbmd.DIRTY_GroupRightsOnNode)\
+        .from_statement(pbmd.DIRTY_RealGroupRightOnNodeSqlQuery)\
+        .params(node_id=piNodeId)\
+        .all()
+
+    return groupRightsOnNodeCustomSelect
 
   @classmethod
-  def getRealGroups(cls):
-    return DBSession.query(pbma.Group).filter(pbma.Group.personnal_group==False).all()
+  def getUserDedicatedGroupRightsOnNode(cls, piNodeId: int) -> pbmd.DIRTY_GroupRightsOnNode:
+
+    groupRightsOnNodeCustomSelect = DBSession\
+        .query(pbmd.DIRTY_GroupRightsOnNode)\
+        .from_statement(pbmd.DIRTY_UserDedicatedGroupRightOnNodeSqlQuery)\
+        .params(node_id=piNodeId)\
+        .all()
+
+    return groupRightsOnNodeCustomSelect
+
+
 
 class PODUserFilteredApiController(object):
   
   def createNode(self, parent_id=0):
     loNode          = pbmd.PBNode()
     loNode.owner_id = self._iCurrentUserId
-    loNode.parent_id = parent_id
+    if int(parent_id)!=0:
+      loNode.parent_id = parent_id
     parent_rights = DBSession.query(pbma.Rights).filter(pbma.Rights.node_id==parent_id).all()
     loNode.rights = parent_rights
     loNode.rights = [pbma.Rights(group_id=r.group_id, rights=r.rights) for r in parent_rights]
     return loNewNode
 
 
-  def getNode(self, liNodeId):
-    liOwnerIdList = self._getUserIdListForFiltering()
-    if liNodeId!=0:
-      return DBSession.query(pbmd.PBNode).options(joinedload_all("_lAllChildren")).\
-              join(pbma.Group.users).\
-              filter(pbmd.PBNode.node_id==liNodeId).\
-              filter((pbmd.PBNode.owner_id.in_(liOwnerIdList)) | (pbma.user_group_table.c.user_id.in_(liOwnerIdList))).\
-              first()
-    return None
+  def getNode(self, liNodeId: int) -> pbmd.PBNode:
 
+    lsSqlSelectQuery = """pod_nodes.node_id IN
+        (SELECT
+            pgn.node_id
+        FROM
+            pod_group_node AS pgn
+            join pod_user_group AS pug ON pug.group_id = pgn.group_id
+            join pod_user AS pu ON pug.user_id = pu.user_id
+        WHERE
+            rights > 0
+            AND pu.user_id = %s)
+    """
+    lsNodeIdFiltering = lsSqlSelectQuery % (str(self._iCurrentUserId))
+
+    if liNodeId!=None and liNodeId!=0:
+      return DBSession.query(pbmd.PBNode).options(joinedload_all("_lAllChildren"))\
+        .filter(pbmd.PBNode.node_id==liNodeId)\
+        .filter(
+          sqla.or_(
+            pbmd.PBNode.owner_id==self._iCurrentUserId,
+            lsNodeIdFiltering
+          )
+        )\
+        .one()
+    return None
 
-  def getLastModifiedNodes(self, piMaxNodeNb):
+  def getLastModifiedNodes(self, piMaxNodeNb: int):
     """
     Returns a list of nodes order by modification time and limited to piMaxNodeNb nodes
     """
     return DBSession.query(pbmd.PBNode).options(joinedload_all("_lAllChildren")).filter(pbmd.PBNode.owner_id.in_(liOwnerIdList)).order_by(pbmd.PBNode.updated_at.desc()).limit(piMaxNodeNb).all()
 
 
-  def searchNodesByText(self, plKeywordList, piMaxNodeNb=100):
+  def searchNodesByText(self, plKeywordList: [str], piMaxNodeNb=100):
     """
     Returns a list of nodes order by type, nodes which contain at least one of the keywords
     """
   def buildTreeListForMenu(self, plViewableStatusId):
     liOwnerIdList = self._getUserIdListForFiltering()
     
-    loNodeList = pbm.DBSession.query(pbmd.PBNode).filter(pbmd.PBNode.owner_id.in_(liOwnerIdList)).filter(pbmd.PBNode.node_type==pbmd.PBNodeType.Data).filter(pbmd.PBNode.node_status.in_(plViewableStatusId)).order_by(pbmd.PBNode.parent_tree_path).order_by(pbmd.PBNode.node_order).order_by(pbmd.PBNode.node_id).all()
+    # loNodeList = pbm.DBSession.query(pbmd.PBNode).filter(pbmd.PBNode.owner_id.in_(liOwnerIdList)).filter(pbmd.PBNode.node_type==pbmd.PBNodeType.Data).filter(pbmd.PBNode.node_status.in_(plViewableStatusId)).order_by(pbmd.PBNode.parent_tree_path).order_by(pbmd.PBNode.node_order).order_by(pbmd.PBNode.node_id).all()
+    loNodeListNotFiltered = pbm.DBSession.query(pbmd.PBNode).filter(pbmd.PBNode.node_type==pbmd.PBNodeType.Data).filter(pbmd.PBNode.node_status.in_(plViewableStatusId)).order_by(pbmd.PBNode.parent_tree_path).order_by(pbmd.PBNode.node_order).order_by(pbmd.PBNode.node_id).all()
+
+    loNodeList = []
+    for loNode in loNodeListNotFiltered:
+      if loNode.owner_id in self._getUserIdListForFiltering():
+        loNodeList.append(loNode)
+      else:
+        for loRight in loNode._lRights:
+          for loUser in loRight._oGroup.users:
+            if loUser.user_id in self._getUserIdListForFiltering():
+              loNodeList.append(loNode)
+
     loTreeList = []
     loTmpDict = {}
     for loNode in loNodeList:
         # We suppose that the parent node has already been added
         # this *should* be the case, but the code does not check it
         if loNode.parent_id not in loTmpDict.keys():
-          loTmpDict[loNode.parent_id] = self.getNode(loNode.parent_id)
-        loTmpDict[loNode.parent_id].appendStaticChild(loNode)
+          print('THE NODE =========',loNode.parent_id)
+          try:
+            loTmpDict[loNode.parent_id] = self.getNode(loNode.parent_id)
+          except Exception as e:
+            # loTreeList.append(
+            # FIXME - D.A. - 2014-05-22 This may be wrong code:
+            # we are in the case when the node parent is not shared with the current user
+            # So the node should be added at the root
+            pass
+        if loNode.parent_id in loTmpDict.keys():
+          # HACK- D.A. - 2014-05-22 - See FIXME upper
+          loTmpDict[loNode.parent_id].appendStaticChild(loNode)
   
     return loTreeList
 

pboard/pboard/model/auth.py

     display_name = Column(Unicode(255))
     created = Column(DateTime, default=datetime.now)
     personnal_group = Column(Boolean)
-    users = relation('User', secondary=user_group_table, backref='groups')
+
+    users = relationship('User', secondary=user_group_table, backref='groups')
 
     _lRights = relationship('Rights', backref='_oGroup', cascade = "all, delete-orphan")
 

pboard/pboard/model/data.py

 
 import bs4
 from sqlalchemy import Table, ForeignKey, Column, Sequence
+import sqlalchemy as sqla
+from sqlalchemy.sql.sqltypes import Boolean
 from sqlalchemy.types import Unicode, Integer, DateTime, Text, LargeBinary
 import sqlalchemy.types as sqlat
 from sqlalchemy.orm import relation, synonym, relationship
 from sqlalchemy.orm import backref
 import sqlalchemy.orm as sqlao
+import sqlalchemy.orm.query as sqlaoq
 from sqlalchemy import orm as sqlao
 
 from tg.i18n import ugettext as _, lazy_ugettext as l_
   def getHistory(self):
       return DBSession.execute("select node_id, version_id, created_at from pod_nodes_history where node_id = :node_id order by created_at desc", {"node_id":self.node_id}).fetchall()
 
+
+#####
+#
+# HACK - 2014-05-21 - D.A
+#
+# The following hack is a horrible piece of code that allow to map a raw SQL select to a mapped class
+#
+class DIRTY_GroupRightsOnNode(object):
+    def hasSomeAccess(self):
+        return self.rights >= pma.Rights.READ_ACCESS
+
+    def hasReadAccess(self):
+        return self.rights & pma.Rights.READ_ACCESS
+
+    def hasWriteAccess(self):
+        return self.rights & pma.Rights.WRITE_ACCESS
+
+DIRTY_group_rights_on_node_query = Table('fake_table', metadata,
+    Column('group_id', Integer, primary_key=True),
+    Column('node_id', Integer, primary_key=True),
+
+    Column('display_name', Unicode(255)),
+    Column('personnal_group', Boolean),
+    Column('rights', Integer, primary_key=True)
+)
+
+DIRTY_UserDedicatedGroupRightOnNodeSqlQuery = """
+SELECT
+    COALESCE(NULLIF(pg.display_name, ''), pu.display_name) AS display_name,
+    pg.personnal_group,
+    pg.group_id,
+    :node_id AS node_id,
+    COALESCE(pgn.rights, 0) AS rights
+FROM
+    pod_group AS pg
+    LEFT JOIN
+        pod_group_node AS pgn
+    ON
+        pg.group_id=pgn.group_id
+        AND pgn.node_id=:node_id
+    LEFT JOIN
+        pod_user AS pu
+    ON
+        pu.user_id=-pg.group_id
+WHERE
+    pg.personnal_group='t'
+ORDER BY
+    display_name
+;"""
+
+DIRTY_RealGroupRightOnNodeSqlQuery = """
+SELECT
+    pg.display_name AS display_name,
+    pg.personnal_group,
+    pg.group_id,
+    :node_id AS node_id,
+    COALESCE(pgn.rights, 0) AS rights
+FROM
+    pod_group AS pg
+    LEFT JOIN
+        pod_group_node AS pgn
+    ON
+        pg.group_id=pgn.group_id
+        AND pgn.node_id=:node_id
+WHERE
+    pg.personnal_group!='t'
+ORDER BY
+    display_name
+;"""
+
+sqlao.mapper(DIRTY_GroupRightsOnNode, DIRTY_group_rights_on_node_query)
+

pboard/pboard/templates/document-widgets-tabs.mak

           <th></th>
         </tr>
       </thead>
-      % for loCurrentGroup in real_groups:
-        % if loCurrentGroup.hasSomeAccess(poNode):
+      % for loGroupRightsOnNode in real_group_rights:
+        % if loGroupRightsOnNode.hasSomeAccess():
           <tr>
-            <td>${loCurrentGroup.getDisplayName()}</td>
+            <td>${loGroupRightsOnNode.display_name}</td>
             <td>
-              % for loRight in loCurrentGroup.rights:
-                % if loRight.node_id==poNode.node_id:
-                  % if loRight.hasReadAccess():
-                    <span class="label label-success">R</span>
-                  % endif
-                  % if loRight.hasWriteAccess():
-                    <span class="label label-warning">W</span>
-                  % endif
-                % endif
-              % endfor
+              % if loGroupRightsOnNode.hasReadAccess():
+                <span class="label label-success">R</span>
+              % endif
+              % if loGroupRightsOnNode.hasWriteAccess():
+                <span class="label label-warning">W</span>
+              % endif
             </td>
           </tr>
         % endif
           <th></th>
         </tr>
       </thead>
-      % for loCurrentGroup in user_specific_groups:
-        % if loCurrentGroup.hasSomeAccess(poNode):
+      % for loGroupRightsOnNode in user_specific_group_rights:
+        % if loGroupRightsOnNode.hasSomeAccess():
           <tr>
-            <td>${loCurrentGroup.getDisplayName()}</td>
+            <td>${loGroupRightsOnNode.display_name}</td>
             <td>
-              % for loRight in loCurrentGroup.rights:
-                % if loRight.node_id==poNode.node_id:
-                  % if loRight.hasReadAccess():
-                    <span class="label label-success">R</span>
-                  % endif
-                  % if loRight.hasWriteAccess():
-                    <span class="label label-warning">W</span>
-                  % endif
-                % endif
-              % endfor
+              % if loGroupRightsOnNode.hasReadAccess():
+                <span class="label label-success">R</span>
+              % endif
+              % if loGroupRightsOnNode.hasWriteAccess():
+                <span class="label label-warning">W</span>
+              % endif
             </td>
           </tr>
         % endif
                   <th>${_('Access')}</th>
                 </tr>
               </thead>
-              % for loCurrentGroup in real_groups:
-              <tr id='user-${loCurrentGroup.group_id}-rights-row'>
+              % for loGroupRightsOnNode in real_group_rights:
+
+              <tr id='user-${loGroupRightsOnNode.group_id}-rights-row'>
                 <td>
                   <a
                     class="btn btn-mini"
-                    onclick="updateRights(${loCurrentGroup.group_id})"
+                    onclick="updateRights(${loGroupRightsOnNode.group_id})"
                   >
                     <i class="fa fa-key"></i>
                   </a>
                 </td>
                 <td class='pod-highlightable-access-management-cell'>
-                  ${loCurrentGroup.getDisplayName()}
-                  <input type="hidden" id="user-${loCurrentGroup.group_id}-value-read" name="read" value="" />
-                  <input type="hidden" id="user-${loCurrentGroup.group_id}-value-write" name="write" value="" />
+                  ${loGroupRightsOnNode.display_name}
+                  <input type="hidden" id="user-${loGroupRightsOnNode.group_id}-value-read" name="read" value="" />
+                  <input type="hidden" id="user-${loGroupRightsOnNode.group_id}-value-write" name="write" value="" />
                 </td>
-                <td id="user-${loCurrentGroup.group_id}-rights" class="pod-right-cell"></td>
+                <td id="user-${loGroupRightsOnNode.group_id}-rights" class="pod-right-cell"></td>
               </tr>
               % endfor
               
                   <th>${_('Access')}</th>
                 </tr>
               </thead>
-              % for loCurrentGroup in user_specific_groups:
+              % for loGroupRightsOnNode in user_specific_group_rights:
               
-              <tr id='user-${loCurrentGroup.group_id}-rights-row'>
+              <tr id='user-${loGroupRightsOnNode.group_id}-rights-row'>
                 <td>
                   <a
                     class="btn btn-mini"
-                    onclick="updateRights(${loCurrentGroup.group_id})"
+                    onclick="updateRights(${loGroupRightsOnNode.group_id})"
                   >
                     <i class="fa fa-key"></i>
                   </a>
                 </td>
                 <td class='pod-highlightable-access-management-cell'>
-                  ${loCurrentGroup.getDisplayName()}
-                  <input type="hidden" id="user-${loCurrentGroup.group_id}-value-read" name="read" value="" />
-                  <input type="hidden" id="user-${loCurrentGroup.group_id}-value-write" name="write" value="" />
+                  ${loGroupRightsOnNode.display_name}
+                  <input type="hidden" id="user-${loGroupRightsOnNode.group_id}-value-read" name="read" value="" />
+                  <input type="hidden" id="user-${loGroupRightsOnNode.group_id}-value-write" name="write" value="" />
                 </td>
-                <td id="user-${loCurrentGroup.group_id}-rights" class="pod-right-cell"></td>
+                <td id="user-${loGroupRightsOnNode.group_id}-rights" class="pod-right-cell"></td>
               </tr>
               % endfor
             </table>
 ## for read/write access management
 ##
 
-      % for loCurrentGroup in real_groups + user_specific_groups:
-        % if loCurrentGroup.hasSomeAccess(poNode)==False:
-              updateRights(${loCurrentGroup.group_id}, 0);
+## FIXME      % for loGroupRightsOnNode in real_group_rights:
+##      % for loCurrentGroup in real_group_rights + user_specific_group_rights:
+      % for loGroupRightsOnNode in real_group_rights + user_specific_group_rights:
+        % if loGroupRightsOnNode.hasSomeAccess()==False:
+          updateRights(${loGroupRightsOnNode.group_id}, 0);
         % else:
-          % for loRight in loCurrentGroup.rights:
-            % if loRight.node_id==poNode.node_id:
 ##
 ## The following line should build some javascript code similar to this:
 ## updateRights(-5, 3);
-              updateRights(${loCurrentGroup.group_id}, ${loRight.rights});
-            % endif
-          % endfor
+          updateRights(${loGroupRightsOnNode.group_id}, ${loGroupRightsOnNode.rights});
         % endif
       % endfor
 

pboard/pboard/templates/master.mak

                 <li><a href="${tg.url('/debug/identity')}"><i class="fa fa-user-md"></i>  request.identity</a></li>
               </ul>
             </li>
+          % endif
+
+          % if request.identity:
             <li>
               <form class="navbar-search  form-search" action="${tg.url('/search')}">
                 <div class="input-append">