Merge remote-tracking branch 'upstream/master'

2026-06-27 16:10:40 +08:00 · 2011-06-17 09:54:17 +02:00
parent 459429452c 67d98ba3da
commit f995acc622
2 changed files with 16 additions and 6 deletions
@@ -8,6 +8,7 @@ from formalchemy.fields import Field
 from formalchemy import fatypes
 from pyramid.renderers import get_renderer
 from pyramid.response import Response
+from pyramid.security import has_permission
 from pyramid import httpexceptions as exc
 from pyramid.exceptions import NotFound
 from pyramid_formalchemy.utils import TemplateEngine
@@ -55,15 +56,17 @@ class ModelView(object):
        models = {}
        if isinstance(request.models, list):
            for model in request.models:
-                key = model.__name__
-                models[key] = request.fa_url(key, request.format)
+                if has_permission('view', model, request):
+                    key = model.__name__
+                    models[key] = request.fa_url(key, request.format)
        else:
            for key, obj in request.models.__dict__.iteritems():
                if not key.startswith('_'):
                    if Document is not None:
                        try:
                            if issubclass(obj, Document):
-                                models[key] = request.fa_url(key, request.format)
+                                if has_permission('view', obj, request):
+                                    models[key] = request.fa_url(key, request.format)
                                continue
                        except:
                            pass
@@ -73,7 +76,8 @@ class ModelView(object):
                        continue
                    if not isinstance(obj, type):
                        continue
-                    models[key] = request.fa_url(key, request.format)
+                    if has_permission('view', obj, request):
+                        models[key] = request.fa_url(key, request.format)
        if kwargs.get('json'):
            return models
        return self.render(models=models)
@@ -123,7 +127,7 @@ class ModelView(object):
    def render_json_format(self, fs=None, **kwargs):
        request = self.request
        request.override_renderer = 'json'
-        if fs:
+        if fs is not None:
            try:
                fields = fs.jsonify()
            except AttributeError:
@@ -14,7 +14,7 @@ from sqlalchemy.orm import scoped_session
 from sqlalchemy.orm import sessionmaker

 from zope.sqlalchemy import ZopeTransactionExtension
-from pyramid.security import Allow, ALL_PERMISSIONS
+from pyramid.security import Allow, Authenticated, ALL_PERMISSIONS

 DBSession = scoped_session(sessionmaker(extension=ZopeTransactionExtension()))
 Base = declarative_base()
@@ -27,6 +27,12 @@ class MyModel(Base):

 class Foo(Base):
    __tablename__ = 'foo'
+    __acl__ = [
+            (Allow, 'admin', ALL_PERMISSIONS),
+            (Allow, Authenticated, 'view'),
+            (Allow, 'editor', 'edit'),
+            (Allow, 'manager', ('new', 'edit', 'delete')),
+        ]
    id = Column(Integer, primary_key=True)
    bar = Column(Unicode(255))