def comment(self):
txt = drink.omni(request.params.get('text', ''))
if txt:
if not self._comments:
self._comments = []
self._comments.append( {'from': request.identity.id, 'message': txt} )
drink.transaction.commit()
return {'comments': self._comments or [], 'redirect': self.path}
def get_object(current, objpath, no_raise=False):
""" Fetch an object from database, looking at permissions to approve
:arg current: root object to browse for childrens
:type current: :class:`drink.Page`
:arg objpath: path to the children
:type objpath: str
:arg no_raise: (optional) don't raise exceptions
:type no_raise: `bool`
"""
path_list = [drink.omni(p) for p in objpath.split("/") if p]
last_idx = len(path_list) - 1
pending_path = False
for i, elt in enumerate(path_list):
if elt[0] in "._" and elt != "_static":
return drink.unauthorized("Not authorized (forbidden character)")
if False != pending_path:
pending_path.append(elt)
elif i == last_idx:
# getting
try:
current = current[elt]
if "r" not in drink.request.identity.access(current):
if not no_raise:
return drink.unauthorized("Not authorized")
return
except (KeyError, AttributeError, TypeError):
try:
current = getattr(current, elt)
except AttributeError:
if callable(current):
pending_path = [elt]
else:
if not no_raise:
raise AttributeError(elt)
return
break # found a matching object
else:
# traversal
try:
current = current[elt]
if "t" not in drink.request.identity.access(current):
if not no_raise:
return drink.unauthorized("Not authorized")
return
except (KeyError, AttributeError):
if hasattr(current, elt) and callable(getattr(current, elt)):
current = getattr(current, elt)
pending_path = []
else:
if no_raise:
return
raise AttributeError(elt)
request.pending_path = pending_path
return current
def rm(self):
# TODO: ajaxify
name = drink.omni(request.GET.get('name'))
if not ('a' in request.identity.access(self) and 'w' in request.identity.access(self[name])):
return drink.unauthorized("Not authorized")
try:
parent_path = self.quoted_path
except AttributeError: # XXX: unclean
parent_path = '.'
with self._lock():
old_obj = self[name]
del self[name]
old_obj._update_lookup_engine(remove=True)
drink.transaction.commit()
return drink.rdr(parent_path)
