Home Explore Help
Sign In
bux
/
tracim
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

can_write predicate

sferot 10 years ago
parent
f24039d119
commit
8075c43990
2 changed files with 28 additions and 0 deletions
Split View Show Diff Stats
  1. 9 0
      pboard/pboard/controllers/api.py
  2. 19 0
      pboard/pboard/lib/auth.py

+ 9 - 0
pboard/pboard/controllers/api.py View File 

@@ -24,6 +24,7 @@ from pboard.lib.base import BaseController
24 24 
 from pboard.lib   import dbapi as pld
25 25 
 from pboard.model import data as pmd
26 26 
 from pboard import model as pm
27 
+from pboard.lib.auth import can_read, can_write
27 28
28 29 
 __all__ = ['PODPublicApiController', 'PODApiController']
29 30 
 
@@ -127,6 +128,7 @@ class PODApiController(BaseController):
127 128 
       redirect(lurl('/document/%i'%(loNewNode.parent_id)))
128 129
129 130 
     @expose()
131 
+    @require(can_read())
130 132 
     def get_file_content(self, node_id=None, **kw):
131 133 
       if node_id==None:
132 134 
         return
 
@@ -163,6 +165,7 @@ class PODApiController(BaseController):
163 165 
         return loResultBuffer.getvalue()
164 166
165 167 
     @expose()
168 
+    @require(can_write())
166 169 
     def set_parent_node(self, node_id, new_parent_id, **kw):
167 170 
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
168 171 
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
 
@@ -175,6 +178,7 @@ class PODApiController(BaseController):
175 178 
       redirect(lurl('/document/%s'%(node_id)))
176 179
177 180 
     @expose()
181 
+    @require(can_write())
178 182 
     def move_node_upper(self, node_id=0):
179 183 
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
180 184 
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
 
@@ -185,6 +189,7 @@ class PODApiController(BaseController):
185 189 
       redirect(lurl('/document/%s'%(node_id)))
186 190
187 191 
     @expose()
192 
+    @require(can_write())
188 193 
     def move_node_lower(self, node_id=0):
189 194 
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
190 195 
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
 
@@ -220,6 +225,7 @@ class PODApiController(BaseController):
220 225 
       redirect(lurl('/document/%i'%(loNewNode.node_id)))
221 226
222 227 
     @expose()
228 
+    @require(can_write())
223 229 
     def edit_status(self, node_id, node_status):
224 230 
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
225 231 
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
 
@@ -229,6 +235,7 @@ class PODApiController(BaseController):
229 235 
       redirect(lurl('/document/%s'%(node_id)))
230 236
231 237 
     @expose()
238 
+    @require(can_write())
232 239 
     def edit_label_and_content(self, node_id, data_label, data_content):
233 240 
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
234 241 
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
 
@@ -239,6 +246,7 @@ class PODApiController(BaseController):
239 246 
       redirect(lurl('/document/%s'%(node_id)))
240 247
241 248 
     @expose()
249 
+    @require(can_write())
242 250 
     def force_delete_node(self, node_id=None):
243 251 
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
244 252 
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
 
@@ -270,6 +278,7 @@ class PODApiController(BaseController):
270 278 
       redirect(lurl('/document/%s'%(back_to_node_id)))
271 279
272 280 
     @expose()
281 
+    @require(can_write())
273 282 
     def toggle_share_status(self, node_id):
274 283 
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
275 284 
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)

+ 19 - 0
pboard/pboard/lib/auth.py View File 

@@ -22,3 +22,22 @@ class can_read(Predicate):
22 22 
                 and node_id = :node""", {"mail":credentials["repoze.who.userid"], "node":node_id})
23 23 
         if has_right.rowcount == 0 :
24 24 
             self.unmet()
25 
+
26 
+class can_write(Predicate):
27 
+    message = ""
28 
+
29 
+    def __init__(self, **kwargs):
30 
+        pass
31 
+
32 
+    def evaluate(self, environ, credentials):
33 
+        node_id = environ['webob.adhoc_attrs']['validation']['values']['node_id']
34 
+        has_right = session.execute("""
35 
+                select *
36 
+                from pod_group_node pgn
37 
+                join pod_user_group pug on pug.group_id = pgn.group_id
38 
+                join pod_user pu on pug.user_id = pu.user_id
39 
+                where rights > 1
40 
+                and email_address = :mail
41 
+                and node_id = :node""", {"mail":credentials["repoze.who.userid"], "node":node_id})
42 
+        if has_right.rowcount == 0 :
43 
+            self.unmet()