clarify permissions scheme for viewing reports & tighten up perms

beat/web/reports/views.py

@@ -33,6 +33,7 @@ from django.views.generic import TemplateView
 from django.contrib.auth.models import User
 from django.db.models import Q
 from django.db.models.functions import Coalesce
+from django.http import Http404
 
 from ..ui.templatetags.markup import restructuredtext
 
@@ -44,11 +45,26 @@ import simplejson as json
 #------------------------------------------------
 
 
+# Permissions for viewing a report is complicated:
+# 'E' means that the specific type of user may view the editable mode
+# of the report when the report is in the specified state.
+# 'V' is the same, but for the view-only mode
+# REPORT STATE:       | Editable  | Locked    | Published |
+# USER:               -------------------------------------
+# Author              | E, V      | V         | V         |
+# BEAT User           | V         | V         | V         |
+# Anon                |           | V         | V         |
+# Public Reports List |           |           | V         |
 def by_number(request, number):
-
     # get the query from the DB
     obj = get_object_or_404(Report, number=int(number))
 
+    isAnon = request.user.is_anonymous()
+
+    if obj.status == 'E' and isAnon:
+        # return 404
+        raise Http404('No %s matches the given query.' % Report._meta.object_name)
+
     return render_to_response('reports/report.html',
             {
                 'report_number' : number,
@@ -63,12 +79,16 @@ def by_number(request, number):
 
 
 def for_author(request, author_name, report_name):
-
     # get the query from the DB
     obj = get_object_or_404(Report,
             author__username = author_name,
             name = report_name)
 
+    isAuthor = request.user.username == obj.author.username
+
+    if not isAuthor:
+        # return 404
+        raise Http404('No %s matches the given query.' % Report._meta.object_name)
 
     return render_to_response('reports/report.html',
             {