Now unauthorized users can view documents only for open projects.

diff --git a/mgmt/documents_views.py b/mgmt/documents_views.py
index 0dc01c6..ffe9c14 100644
--- a/mgmt/documents_views.py
+++ b/mgmt/documents_views.py
@@ -7,16 +7,16 @@ from models import *
 from rights import can
 from forms import CommentForm,DocForm

+@check_auth(Project,'view')
 @render_to('project_docs.html')
-def project_documents(request,id):
-  project = Project.objects.get(pk=id)
+def project_documents(request,project):
   cats = Category.objects.filter(document__project=project).distinct()
   return {'project': project,
        'categories': cats}

+@check_auth(Document,'view')
 @render_to('document.html')
-def one_document(request,id):
-  doc = Document.objects.get(pk=id)
+def one_document(request,doc):
   if can(request.user,'comment'):
     form = CommentForm()
   else:
diff --git a/mgmt/rights.py b/mgmt/rights.py
index ce0dd11..8db62ea 100644
--- a/mgmt/rights.py
+++ b/mgmt/rights.py
@@ -24,6 +24,8 @@ def can(user,action,object=None,target=None):
   if action == 'view':
     if cls == 'Project':
       return object.open or user.is_authenticated()
+    if cls == 'Document':
+      return object.project.open or user.is_authenticated()
   if action == 'edit':
     if cls == 'Project':
       return user in object.admins.iterator()