Merge branch 'master' of https://bitbucket.org/lebouquetin/protov1

pboard/pboard/controllers/api.py

 from pboard.lib   import dbapi as pld
 from pboard.model import data as pmd
 from pboard import model as pm
+from pboard.lib.auth import can_read, can_write
 
 __all__ = ['PODPublicApiController', 'PODApiController']
 
       redirect(lurl('/document/%i'%(loNewNode.parent_id)))
 
     @expose()
+    @require(can_read())
     def get_file_content(self, node_id=None, **kw):
       if node_id==None:
         return
         return loResultBuffer.getvalue()
 
     @expose()
+    @require(can_write())
     def set_parent_node(self, node_id, new_parent_id, **kw):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
       redirect(lurl('/document/%s'%(node_id)))
 
     @expose()
+    @require(can_write())
     def move_node_upper(self, node_id=0):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
       redirect(lurl('/document/%s'%(node_id)))
 
     @expose()
+    @require(can_write())
     def move_node_lower(self, node_id=0):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
       redirect(lurl('/document/%i'%(loNewNode.node_id)))
 
     @expose()
+    @require(can_write())
     def edit_status(self, node_id, node_status):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
       redirect(lurl('/document/%s'%(node_id)))
 
     @expose()
+    @require(can_write())
     def edit_label_and_content(self, node_id, data_label, data_content):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
       redirect(lurl('/document/%s'%(node_id)))
 
     @expose()
+    @require(can_write())
     def force_delete_node(self, node_id=None):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)
       redirect(lurl('/document/%s'%(back_to_node_id)))
 
     @expose()
+    @require(can_write())
     def toggle_share_status(self, node_id):
       loCurrentUser   = pld.PODStaticController.getCurrentUser()
       loApiController = pld.PODUserFilteredApiController(loCurrentUser.user_id)

pboard/pboard/controllers/root.py

               row = dict(pm.DBSession.execute("select * from pod_nodes_history where node_id=:node_id and version_id=:version_id", {"node_id":liNodeId, "version_id":liVersionId}).first().items())
               del(row['version_id'])
               loCurrentNode = pbmd.PBNode(**row)
-              log.info(loCurrentNode)
           else:
             loCurrentNode    = loApiController.getNode(liNodeId)
         except Exception as e:

pboard/pboard/lib/auth.py

                         and node_id = :node""", {"mail":credentials["repoze.who.userid"], "node":node_id})
                 if has_right.rowcount == 0 :
                     self.unmet()
+
+class can_write(Predicate):
+    message = ""
+
+    def __init__(self, **kwargs):
+        pass
+
+    def evaluate(self, environ, credentials):
+        node_id = environ['webob.adhoc_attrs']['validation']['values']['node_id']
+        has_right = session.execute("""
+                select *
+                from pod_group_node pgn
+                join pod_user_group pug on pug.group_id = pgn.group_id
+                join pod_user pu on pug.user_id = pu.user_id
+                where rights > 1
+                and email_address = :mail
+                and node_id = :node""", {"mail":credentials["repoze.who.userid"], "node":node_id})
+        if has_right.rowcount == 0 :
+            self.unmet()
+