def picture_as_image(request): """Return an image file for the requested picture.""" session = DBSession() picture_id = request.matchdict['picture_id'] user_id = get_user_metadata(request).get('id', None) if user_id: query = ( "SELECT DISTINCT pictures.* " "FROM pictures, album_viewers " "WHERE pictures.id=%(picture_id)s AND " " pictures.album_id=album_viewers.album_id AND " " album_viewers.user_id='%(user_id)s' " " UNION " " SELECT DISTINCT pictures.* " " FROM pictures, albums, gallery_administrators " " WHERE pictures.id=%(picture_id)s AND " " pictures.album_id=albums.id AND " " albums.gallery_id=gallery_administrators.gallery_id AND " " gallery_administrators.user_id='%(user_id)s' " ) % {'picture_id': picture_id, 'user_id': user_id} picture = session.execute(query).first() # may return None else: picture = None if picture is None: # We always raise Forbidden, whether the picture exists (and # the user is not allowed to view it) or not. raise HTTPForbidden() base_path = request.registry.settings['lasco.pictures_base_path'] full_path = os.path.join(base_path, picture.path) return FileResponse(full_path, request=request)
def lasco_index(request): session = DBSession() user_id = get_user_metadata(request).get('id', None) if user_id: query = ("SELECT DISTINCT galleries.* " "FROM galleries, albums, " " album_viewers " "WHERE (galleries.id = albums.gallery_id AND " " albums.id = album_viewers.album_id AND " " album_viewers.user_id = :user_id)" " UNION SELECT DISTINCT galleries.* " " FROM galleries, gallery_administrators " " WHERE (galleries.id=gallery_administrators.gallery_id AND" " gallery_administrators.user_id = :user_id)") galleries = session.execute(query, {'user_id': user_id}) else: galleries = () api = TemplateAPI(request, 'Lasco') return {'api': api, 'galleries': galleries}