From 9491d6822783f372a3f3fca92c7142bf48b4d830 Mon Sep 17 00:00:00 2001
From: j <0x006A@0x2620.org>
Date: Tue, 23 Jul 2013 11:38:50 +0000
Subject: [PATCH] rendered items should only be available to users that can
 edit them, fixes #1197

---
 pandora/item/managers.py | 12 +++++++++---
 pandora/item/models.py   |  7 ++++++-
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/pandora/item/managers.py b/pandora/item/managers.py
index 4ced3904..7b383ec4 100644
--- a/pandora/item/managers.py
+++ b/pandora/item/managers.py
@@ -313,14 +313,20 @@ class ItemManager(Manager):
         
         #anonymous can only see public items
         if not user or user.is_anonymous():
-            allowed_level = settings.CONFIG['capabilities']['canSeeItem']['guest']
+            level = 'guest'
+            allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
             qs = qs.filter(level__lte=allowed_level)
+            rendered_q = Q(rendered=True)
         #users can see public items, there own items and items of there groups
         else:
-            allowed_level = settings.CONFIG['capabilities']['canSeeItem'][user.get_profile().get_level()]
+            level = user.get_profile().get_level()
+            allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
             q = Q(level__lte=allowed_level)|Q(user=user)
+            rendered_q = Q(rendered=True)|Q(user=user)
             if user.groups.count():
                 q |= Q(groups__in=user.groups.all())
+                rendered_q |= Q(groups__in=user.groups.all())
             qs = qs.filter(q)
-        #admins can see all available items
+        if settings.CONFIG.get('itemRequiresVideo') and level != 'admin':
+            qs = qs.filter(rendered_q)
         return qs
diff --git a/pandora/item/models.py b/pandora/item/models.py
index 021ab5c0..ae7d55e1 100644
--- a/pandora/item/models.py
+++ b/pandora/item/models.py
@@ -194,10 +194,15 @@ class Item(models.Model):
             level = 'guest'
         else:
             level = user.get_profile().get_level()
+        editable = self.editable(user)
+        if editable:
+            return True
+        if not self.rendered and settings.CONFIG.get('itemRequiresVideo'):
+            return False
         allowed_level = settings.CONFIG['capabilities']['canSeeItem'][level]
         if self.level <= allowed_level:
             return True
-        return self.editable(user)
+        return False
 
     def editable(self, user):
         if user.is_anonymous():