If the ACL for a locker isn't accessible, assume it's empty (closes #82)
[invirt/packages/invirt-web.git] / code / webcommon.py
index e82f790..9052a4e 100644 (file)
@@ -1,6 +1,7 @@
 """Exceptions for the web interface."""
 
 import time
+from invirt import database
 from invirt.database import Machine, MachineAccess
 
 class MyException(Exception):
@@ -44,9 +45,11 @@ class State(object):
 
     def getMachines(self):
         if self.isadmin:
-            return Machine.select()
+            return Machine.query().join('acl').filter_by(
+                database.or_(MachineAccess.c.user == self.username,
+                             Machine.c.adminable == True))
         else:
-            return Machine.query().join('acl').select_by(user=self.username)
+            return Machine.query().join('acl').filter_by(user=self.username)
 
     machines = cachedproperty(getMachines)
     xmlist_raw = cachedproperty(lambda self: controls.getList())