can_write predicate

pboard/pboard/controllers/api.py

 from pboard.lib   import dbapi as pld
 from pboard.model import data as pmd
 from pboard import model as pm
+from pboard.lib.auth import can_read, can_write
 
 __all__ = ['PODPublicApiController', 'PODApiController']
 
       redirect(lurl('/document/%i'%(loNewNode.parent_id)))
 
     @expose()
+    @require(can_read())
     def get_file_content(self, node_id=None, **kw):
       if node_id==None:
         return
         return loResultBuffer.getvalue()
 
     @expose()
+    @require(can_write())
     def set_parent_node(self, node_id, new_parent_id, **kw):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
       redirect(lurl('/document/%s'%(node_id)))
 
     @expose()
+    @require(can_write())
     def move_node_upper(self, node_id=0):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
       redirect(lurl('/document/%s'%(node_id)))
 
     @expose()
+    @require(can_write())
     def move_node_lower(self, node_id=0):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
       redirect(lurl('/document/%i'%(loNewNode.node_id)))
 
     @expose()
+    @require(can_write())
     def edit_status(self, node_id, node_status):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
       redirect(lurl('/document/%s'%(node_id)))
 
     @expose()
+    @require(can_write())
     def edit_label_and_content(self, node_id, data_label, data_content):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
       redirect(lurl('/document/%s'%(node_id)))
 
     @expose()
+    @require(can_write())
     def force_delete_node(self, node_id=None):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
       redirect(lurl('/document/%s'%(back_to_node_id)))
 
     @expose()
+    @require(can_write())
     def toggle_share_status(self, node_id):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)

pboard/pboard/lib/auth.py

                 and node_id = :node""", {"mail":credentials["repoze.who.userid"], "node":node_id})
         if has_right.rowcount == 0 :
             self.unmet()
+
+class can_write(Predicate):
+    message = ""
+
+    def __init__(self, **kwargs):
+        pass
+
+    def evaluate(self, environ, credentials):
+        node_id = environ['webob.adhoc_attrs']['validation']['values']['node_id']
+        has_right = session.execute("""
+                select *
+                from pod_group_node pgn
+                join pod_user_group pug on pug.group_id = pgn.group_id
+                join pod_user pu on pug.user_id = pu.user_id
+                where rights > 1
+                and email_address = :mail
+                and node_id = :node""", {"mail":credentials["repoze.who.userid"], "node":node_id})
+        if has_right.rowcount == 0 :
+            self.unmet()