Context Navigation

Changes between Version 38 and Version 39 of BluePrintAuthorization

Timestamp:: 06/19/10 17:47:59 (14 years ago)
Author:: Fran Boon
Comment:: Handle tables without 'deleted' field

Legend:

: Unmodified
: Added
: Removed
: Modified

BluePrintAuthorization

-              v38
+              v39
     """
+    deleted = (table.deleted == None)
+    if "deleted" in table.fields:
+        deleted = (table.deleted == None)
+    else:
+        deleted = 1
     try:
 …
     # Options 1 & 2:
     if record_id and authorised:
+        record = db(table.id == record_id).select(table.deleted, table.reader_id, table.writer_id, limitby=(0, 1)).first()
+        # Check if record is deleted
+        if record.deleted:
+            authorised = False
+        record = None
+        if "deleted" in table.fields:
+            # Check if record is deleted
+            record = db(table.id == record_id).select(table.deleted, table.reader_id, table.writer_id, limitby=(0, 1)).first()
+            if record.deleted:
+                authorised = False
+                return authorised
         elif 1 in roles:
             # Admin is always authorised to view undeleted data (deleted data accessible through alternate UI)
             authorised = True
+            return authorised
+        # Check the record's auth fields
+        if not record:
+            record = db(table.id == record_id).select(table.reader_id, table.writer_id, limitby=(0, 1)).first()
+        if name == "read":
+            if not table.reader_id:
+                authorised = True
+            else:
+                authorised = False
+                restrictions = re.split("\|", table.reader_id)[1:-1]
+                # Assume we generally have fewer restrictions than roles
+                for restriction in restrictions:
+                    if restriction in roles:
+                        authorised = True
+        elif name in ["delete", "update"]:
+            if not table.writer_id:
+                authorised = True
+            else:
+                authorised = False
+                restrictions = re.split("\|", table.writer_id)[1:-1]
+                # Assume we generally have fewer restrictions than roles
+                for restriction in restrictions:
+                    if restriction == "0" or int(restriction) in roles:
+                        # restriction 0 is anonymous
+                        authorised = True
         else:
+            # Need to check the record's auth fields
+            if name == "read":
+                if not table.reader_id:
+                    authorised = True
+                else:
+                    authorised = False
+                    restrictions = re.split("\|", table.reader_id)[1:-1]
+                    # Assume we generally have fewer restrictions than roles
+                    for restriction in restrictions:
+                        if restriction in roles:
+                            authorised = True
+            elif name in ["delete", "update"]:
+                if not table.writer_id:
+                    authorised = True
+                else:
+                    authorised = False
+                    restrictions = re.split("\|", table.writer_id)[1:-1]
+                    # Assume we generally have fewer restrictions than roles
+                    for restriction in restrictions:
+                        if restriction == "0" or int(restriction) in roles:
+                            # restriction 0 is anonymous
+                            authorised = True
+            else:
+                # Something went wrong
+                session.error = str(T("Invalid mode sent to")) + " shn_has_permission(): " + name
+                redirect(URL(r=request, f="index"))
+            # Something went wrong
+            session.error = str(T("Invalid mode sent to")) + " shn_has_permission(): " + name
+            redirect(URL(r=request, f="index"))
 return authorised