fixes can_read and can_write which didn't check rights at all (missing a condition on owner)

pboard/pboard/lib/auth.py

@@ -4,6 +4,29 @@ from tg.predicates import Predicate
 from pboard.model import DBSession as session
 from pboard.model.auth import Permission, User
 
+DIRTY_canReadOrCanWriteSqlQuery = """
+SELECT
+    node_id
+FROM
+    pod_group_node AS pgn
+    join pod_user_group AS pug on pug.group_id = pgn.group_id
+    join pod_user AS pu ON pug.user_id = pu.user_id
+WHERE
+    rights > :excluded_right_low_level
+    AND email_address = :email
+    AND node_id = :node_id
+UNION
+    SELECT
+        node_id
+    FROM
+        pod_nodes AS pnn,
+        pod_user AS puu
+    WHERE
+        pnn.node_id = :node_id
+        AND pnn.owner_id = puu.user_id
+        AND puu.email_address = :email
+"""
+
 class can_read(Predicate):
     message = ""
 
@@ -14,25 +37,10 @@ class can_read(Predicate):
         if 'node_id' in environ['webob.adhoc_attrs']['validation']['values']:
             node_id = environ['webob.adhoc_attrs']['validation']['values']['node_id']
             if node_id!=0:
-                has_right = session.execute("""
-                    select
-                        node_id
-                    from
-                        pod_group_node pgn
-                        join pod_user_group pug on pug.group_id = pgn.group_id
-                        join pod_user pu on pug.user_id = pu.user_id
-                    where
-                        rights > 0
-                        and email_address = :mail
-                        and node_id = :node
-                    union
-                        select
-                            node_id
-                        from
-                            pod_nodes
-                        where
-                            node_id = :node
-                        """, {"mail":credentials["repoze.who.userid"], "node":node_id})
+                has_right = session.execute(
+                    DIRTY_canReadOrCanWriteSqlQuery,
+                    {"email":credentials["repoze.who.userid"], "node_id":node_id, "excluded_right_low_level": 0}
+                )
                 if has_right.rowcount == 0 :
                     self.unmet()
 
@@ -46,25 +54,10 @@ class can_write(Predicate):
         if 'node_id' in environ['webob.adhoc_attrs']['validation']['values']:
             node_id = environ['webob.adhoc_attrs']['validation']['values']['node_id']
             if node_id!=0:
-                has_right = session.execute("""
-                        select
-                            node_id
-                        from
-                            pod_group_node pgn
-                            join pod_user_group pug on pug.group_id = pgn.group_id
-                            join pod_user pu on pug.user_id = pu.user_id
-                        where
-                            rights > 1
-                            and email_address = :mail
-                            and node_id = :node
-                        union
-                            select
-                                node_id
-                            from
-                                pod_nodes
-                            where
-                                node_id = :node
-                        """, {"mail":credentials["repoze.who.userid"], "node":node_id})
+                has_right = session.execute(
+                    DIRTY_canReadOrCanWriteSqlQuery,
+                    {"email":credentials["repoze.who.userid"], "node_id":node_id, "excluded_right_low_level": 1}
+                )
                 if has_right.rowcount == 0 :
                     self.unmet()