10 years ago · a8616e28e4
--- a/pboard/pboard/controllers/api.py
+++ b/pboard/pboard/controllers/api.py
@@ -24,6 +24,7 @@ from pboard.lib.base import BaseController
 
				 from pboard.lib   import dbapi as pld
			
 
				 from pboard.model import data as pmd
			
 
				 from pboard import model as pm
			
 
				+from pboard.lib.auth import can_read, can_write
			
 
				 
			
 
				 __all__ = ['PODPublicApiController', 'PODApiController']
			
 
				 
			
@@ -141,6 +142,7 @@ class PODApiController(BaseController):
 
				       redirect(lurl('/document/%i'%(loNewNode.parent_id)))
			
 
				 
			
 
				     @expose()
			
 
				+    @require(can_read())
			
 
				     def get_file_content(self, node_id=None, **kw):
			
 
				       if node_id==None:
			
 
				         return
			
@@ -177,6 +179,7 @@ class PODApiController(BaseController):
 
				         return loResultBuffer.getvalue()
			
 
				 
			
 
				     @expose()
			
 
				+    @require(can_write())
			
 
				     def set_parent_node(self, node_id, new_parent_id, **kw):
			
 
				       loCurrentUser   = pld.PODStaticController.getCurrentUser()
			
 
				       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
			
@@ -189,6 +192,7 @@ class PODApiController(BaseController):
 
				       redirect(lurl('/document/%s'%(node_id)))
			
 
				 
			
 
				     @expose()
			
 
				+    @require(can_write())
			
 
				     def move_node_upper(self, node_id=0):
			
 
				       loCurrentUser   = pld.PODStaticController.getCurrentUser()
			
 
				       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
			
@@ -199,6 +203,7 @@ class PODApiController(BaseController):
 
				       redirect(lurl('/document/%s'%(node_id)))
			
 
				 
			
 
				     @expose()
			
 
				+    @require(can_write())
			
 
				     def move_node_lower(self, node_id=0):
			
 
				       loCurrentUser   = pld.PODStaticController.getCurrentUser()
			
 
				       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
			
@@ -234,6 +239,7 @@ class PODApiController(BaseController):
 
				       redirect(lurl('/document/%i'%(loNewNode.node_id)))
			
 
				 
			
 
				     @expose()
			
 
				+    @require(can_write())
			
 
				     def edit_status(self, node_id, node_status):
			
 
				       loCurrentUser   = pld.PODStaticController.getCurrentUser()
			
 
				       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
			
@@ -243,6 +249,7 @@ class PODApiController(BaseController):
 
				       redirect(lurl('/document/%s'%(node_id)))
			
 
				 
			
 
				     @expose()
			
 
				+    @require(can_write())
			
 
				     def edit_label_and_content(self, node_id, data_label, data_content):
			
 
				       loCurrentUser   = pld.PODStaticController.getCurrentUser()
			
 
				       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
			
@@ -253,6 +260,7 @@ class PODApiController(BaseController):
 
				       redirect(lurl('/document/%s'%(node_id)))
			
 
				 
			
 
				     @expose()
			
 
				+    @require(can_write())
			
 
				     def force_delete_node(self, node_id=None):
			
 
				       loCurrentUser   = pld.PODStaticController.getCurrentUser()
			
 
				       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
			
@@ -284,6 +292,7 @@ class PODApiController(BaseController):
 
				       redirect(lurl('/document/%s'%(back_to_node_id)))
			
 
				 
			
 
				     @expose()
			
 
				+    @require(can_write())
			
 
				     def toggle_share_status(self, node_id):
			
 
				       loCurrentUser   = pld.PODStaticController.getCurrentUser()
			
 
				       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
			
--- a/pboard/pboard/controllers/root.py
+++ b/pboard/pboard/controllers/root.py
@@ -134,7 +134,6 @@ class RootController(BaseController):
 
				               row = dict(pm.DBSession.execute("select * from pod_nodes_history where node_id=:node_id and version_id=:version_id", {"node_id":liNodeId, "version_id":liVersionId}).first().items())
			
 
				               del(row['version_id'])
			
 
				               loCurrentNode = pbmd.PBNode(**row)
			
 
				-              log.info(loCurrentNode)
			
 
				           else:
			
 
				             loCurrentNode    = loApiController.getNode(liNodeId)
			
 
				         except Exception as e:
			
--- a/pboard/pboard/lib/auth.py
+++ b/pboard/pboard/lib/auth.py
@@ -24,3 +24,23 @@ class can_read(Predicate):
 
				                         and node_id = :node""", {"mail":credentials["repoze.who.userid"], "node":node_id})
			
 
				                 if has_right.rowcount == 0 :
			
 
				                     self.unmet()
			
 
				+
			
 
				+class can_write(Predicate):
			
 
				+    message = ""
			
 
				+
			
 
				+    def __init__(self, **kwargs):
			
 
				+        pass
			
 
				+
			
 
				+    def evaluate(self, environ, credentials):
			
 
				+        node_id = environ['webob.adhoc_attrs']['validation']['values']['node_id']
			
 
				+        has_right = session.execute("""
			
 
				+                select *
			
 
				+                from pod_group_node pgn
			
 
				+                join pod_user_group pug on pug.group_id = pgn.group_id
			
 
				+                join pod_user pu on pug.user_id = pu.user_id
			
 
				+                where rights > 1
			
 
				+                and email_address = :mail
			
 
				+                and node_id = :node""", {"mail":credentials["repoze.who.userid"], "node":node_id})
			
 
				+        if has_right.rowcount == 0 :
			
 
				+            self.unmet()
			
 
				+