Commits

danjac  committed 272bf59

add restrict to views

  • Participants
  • Parent commits 8944cd2

Comments (0)

Files changed (5)

File newsmeme/models.py

                              Post.score.desc(),
                              Post.id.desc())
 
+    def public(self):
+        return self.filter(Post.access==Post.PUBLIC)
 
     def restricted(self, user=None):
         """
         return self.access == self.FRIENDS and self.author_id in user.friends
 
     def can_vote(self, user):
-        if user is None or user.id == self.author_id or user.id in self.votes:
+        if user is None or \
+            not self.can_access(user) or \
+            user.id == self.author_id or user.id in self.votes:
             return False
         return True
 
         db.select([db.func.count(post_tags.c.post_id)]).where(
             post_tags.c.tag_id==id).as_scalar())
 
+class CommentQuery(BaseQuery):
+
+    def restricted(self, user):
+
+        if user is None:
+                return self.filter(Post.access==Post.PUBLIC)
+
+        if user.is_moderator:
+            return self
+
+        return self.filter(db.or_(Post.access==Post.PUBLIC,
+                                  Post.author_id==user.id,
+                                  db.and_(Post.access==Post.FRIENDS, 
+                                          Post.author_id.in_(user.friends))))
+
 
 class Comment(db.Model):
 
     __tablename__ = "comments"
 
+    query_class = CommentQuery
+
     id = db.Column(db.Integer, primary_key=True)
     
     author_id = db.Column(db.Integer, 
         self.votes.add(user.id)
 
     def can_vote(self, user):
-        if user is None or user.id == self.author_id or user.id in self.votes:
+        if user is None or \
+            not self.post.can_access(user) or \
+            user.id == self.author_id or user.id in self.votes:
             return False
         return True
 

File newsmeme/views/api.py

 @api.route("/post/<int:post_id>/")
 def post(post_id):
 
-    post = Post.query.get_or_404(post_id)
+    post = Post.query.public().filter_by(id=post_id).first_or_404()
+
     return jsonify(**post.json)
 
 
     if num_results > 100:
         num_results = 100
 
-    posts = Post.query.search(keywords).limit(num_results)
+    posts = Post.query.search(keywords).public().limit(num_results)
     
     return jsonify(results=list(posts.jsonify()))
 
 
     user = User.query.filter_by(username=username).first_or_404()
     
-    posts = Post.query.filter_by(author_id=user.id)
+    posts = Post.query.filter_by(author_id=user.id).public()
 
     return jsonify(posts=list(posts.jsonify()))
 

File newsmeme/views/frontend.py

 @keep_login_url
 def index(page=1):
     
-    page_obj = Post.query.current().hottest().\
+    page_obj = Post.query.current().hottest().restricted(g.user).\
         paginate(page, per_page=PER_PAGE)
         
     page_url = lambda page: url_for("frontend.index", page=page)
 @keep_login_url
 def latest(page=1):
     
-    page_obj = Post.query.current().paginate(page, per_page=PER_PAGE)
+    page_obj = Post.query.current().restricted(g.user).\
+        paginate(page, per_page=PER_PAGE)
 
     page_url = lambda page: url_for("frontend.latest", page=page)
 
 @frontend.route("/deadpool/<int:page>/")
 @keep_login_url
 def deadpool(page=1):
-    page_obj = Post.query.deadpooled().paginate(page, per_page=PER_PAGE)
+    page_obj = Post.query.deadpooled().restricted(g.user).\
+        paginate(page, per_page=PER_PAGE)
 
     page_url = lambda page: url_for("frontend.deadpool", page=page)
 
     if not keywords:
         return redirect(url_for("frontend.index"))
     
-    page_obj = Post.query.search(keywords).paginate(page, per_page=PER_PAGE)
+    page_obj = Post.query.search(keywords).restricted(g.user).\
+        paginate(page, per_page=PER_PAGE)
 
     if page_obj.total == 1:
 
 def tag(slug, page=1):
     tag = Tag.query.filter_by(slug=slug).first_or_404()
 
-    page_obj = tag.posts.paginate(page, per_page=PER_PAGE)
+    page_obj = tag.posts.restricted(g.user).\
+        paginate(page, per_page=PER_PAGE)
     page_url = lambda page: url_for('frontend.tag',
                                     slug=slug,
                                     page=page)

File newsmeme/views/post.py

 @keep_login_url
 def view(post_id, slug=None):
     post = Post.query.get_or_404(post_id)
+    if not post.can_access(g.user):
+        abort(403)
 
     def edit_comment_form(comment):
         return CommentForm(obj=comment)

File newsmeme/views/user.py

 
     user = User.query.filter_by(username=username).first_or_404()
 
-    page_obj = Post.query.filter_by(author=user).paginate(page, PER_PAGE)
+    page_obj = Post.query.filter_by(author=user).restricted(g.user).\
+        paginate(page, PER_PAGE)
     
     page_url = lambda page: url_for('user.posts',
                                     username=username,
     user = User.query.filter_by(username=username).first_or_404()
 
     page_obj = Comment.query.filter_by(author=user).\
-        order_by(Comment.id.desc()).paginate(page, PER_PAGE)
+        order_by(Comment.id.desc()).restricted(g.user).\
+        paginate(page, PER_PAGE)
     
     page_url = lambda page: url_for('user.comments',
                                     username=username,