def comment(self): txt = drink.omni(request.params.get('text', '')) if txt: if not self._comments: self._comments = [] self._comments.append( {'from': request.identity.id, 'message': txt} ) drink.transaction.commit() return {'comments': self._comments or [], 'redirect': self.path}
def get_object(current, objpath, no_raise=False): """ Fetch an object from database, looking at permissions to approve :arg current: root object to browse for childrens :type current: :class:`drink.Page` :arg objpath: path to the children :type objpath: str :arg no_raise: (optional) don't raise exceptions :type no_raise: `bool` """ path_list = [drink.omni(p) for p in objpath.split("/") if p] last_idx = len(path_list) - 1 pending_path = False for i, elt in enumerate(path_list): if elt[0] in "._" and elt != "_static": return drink.unauthorized("Not authorized (forbidden character)") if False != pending_path: pending_path.append(elt) elif i == last_idx: # getting try: current = current[elt] if "r" not in drink.request.identity.access(current): if not no_raise: return drink.unauthorized("Not authorized") return except (KeyError, AttributeError, TypeError): try: current = getattr(current, elt) except AttributeError: if callable(current): pending_path = [elt] else: if not no_raise: raise AttributeError(elt) return break # found a matching object else: # traversal try: current = current[elt] if "t" not in drink.request.identity.access(current): if not no_raise: return drink.unauthorized("Not authorized") return except (KeyError, AttributeError): if hasattr(current, elt) and callable(getattr(current, elt)): current = getattr(current, elt) pending_path = [] else: if no_raise: return raise AttributeError(elt) request.pending_path = pending_path return current
def rm(self): # TODO: ajaxify name = drink.omni(request.GET.get('name')) if not ('a' in request.identity.access(self) and 'w' in request.identity.access(self[name])): return drink.unauthorized("Not authorized") try: parent_path = self.quoted_path except AttributeError: # XXX: unclean parent_path = '.' with self._lock(): old_obj = self[name] del self[name] old_obj._update_lookup_engine(remove=True) drink.transaction.commit() return drink.rdr(parent_path)