Home Explore Help
Sign In
bux
/
tracim
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

allow to access nodes that are owned by the user even if no rights are defined

Damien Accorsi 10 years ago
parent
63211a4482
commit
522d9f71a0
1 changed files with 33 additions and 11 deletions
Split View Show Diff Stats
  1. 33 11
      pboard/pboard/lib/auth.py

+ 33 - 11
pboard/pboard/lib/auth.py View File 

@@ -15,13 +15,24 @@ class can_read(Predicate):
15 15 
             node_id = environ['webob.adhoc_attrs']['validation']['values']['node_id']
16 16 
             if node_id!=0:
17 17 
                 has_right = session.execute("""
18 
-                        select *
19 
-                        from pod_group_node pgn
18 
+                    select
19 
+                        node_id
20 
+                    from
21 
+                        pod_group_node pgn
20 22 
                         join pod_user_group pug on pug.group_id = pgn.group_id
21 23 
                         join pod_user pu on pug.user_id = pu.user_id
22 
-                        where rights > 0
24 
+                    where
25 
+                        rights > 0
23 26 
                         and email_address = :mail
24 
-                        and node_id = :node""", {"mail":credentials["repoze.who.userid"], "node":node_id})
27 
+                        and node_id = :node
28 
+                    union
29 
+                        select
30 
+                            node_id
31 
+                        from
32 
+                            pod_nodes
33 
+                        where
34 
+                            node_id = :node
35 
+                        """, {"mail":credentials["repoze.who.userid"], "node":node_id})
25 36 
                 if has_right.rowcount == 0 :
26 37 
                     self.unmet()
27 38 
 
@@ -36,13 +47,24 @@ class can_write(Predicate):
36 47 
             node_id = environ['webob.adhoc_attrs']['validation']['values']['node_id']
37 48 
             if node_id!=0:
38 49 
                 has_right = session.execute("""
39 
-                        select *
40 
-                        from pod_group_node pgn
41 
-                        join pod_user_group pug on pug.group_id = pgn.group_id
42 
-                        join pod_user pu on pug.user_id = pu.user_id
43 
-                        where rights > 1
44 
-                        and email_address = :mail
45 
-                        and node_id = :node""", {"mail":credentials["repoze.who.userid"], "node":node_id})
50 
+                        select
51 
+                            node_id
52 
+                        from
53 
+                            pod_group_node pgn
54 
+                            join pod_user_group pug on pug.group_id = pgn.group_id
55 
+                            join pod_user pu on pug.user_id = pu.user_id
56 
+                        where
57 
+                            rights > 1
58 
+                            and email_address = :mail
59 
+                            and node_id = :node
60 
+                        union
61 
+                            select
62 
+                                node_id
63 
+                            from
64 
+                                pod_nodes
65 
+                            where
66 
+                                node_id = :node
67 
+                        """, {"mail":credentials["repoze.who.userid"], "node":node_id})
46 68 
                 if has_right.rowcount == 0 :
47 69 
                     self.unmet()
48 70