def move_thread(request, forum_slug, thread_id): """Move a thread.""" forum = get_object_or_404(Forum, slug=forum_slug) thread = get_object_or_404(Thread, pk=thread_id, forum=forum) user = request.user new_forum_id = request.POST.get("forum") new_forum = get_object_or_404(Forum, id=new_forum_id) # Don't admit that unviewable forums exist or allow escalation of privs by # moving things to a looser forum: if not (forum.allows_viewing_by(user) and new_forum.allows_viewing_by(user)): raise Http404 # Don't allow the equivalent of posting here by posting elsewhere then # moving: if not new_forum.allows_posting_by(user): raise PermissionDenied if not (has_perm(user, "forums_forum.thread_move_forum", new_forum) and has_perm(user, "forums_forum.thread_move_forum", forum)): raise PermissionDenied log.warning("User %s is moving thread with id=%s to forum with id=%s" % (user, thread.id, new_forum_id)) thread.forum = new_forum thread.save() return HttpResponseRedirect(thread.get_absolute_url())
def move_thread(request, forum_slug, thread_id): """Move a thread.""" forum = get_object_or_404(Forum, slug=forum_slug) thread = get_object_or_404(Thread, pk=thread_id, forum=forum) user = request.user new_forum_id = request.POST.get('forum') new_forum = get_object_or_404(Forum, id=new_forum_id) # Don't admit that unviewable forums exist or allow escalation of privs by # moving things to a looser forum: if not (forum.allows_viewing_by(user) and new_forum.allows_viewing_by(user)): raise Http404 # Don't allow the equivalent of posting here by posting elsewhere then # moving: if not new_forum.allows_posting_by(user): raise PermissionDenied if not (has_perm(user, 'forums_forum.thread_move_forum', new_forum) and has_perm(user, 'forums_forum.thread_move_forum', forum)): raise PermissionDenied log.warning('User %s is moving thread with id=%s to forum with id=%s' % (user, thread.id, new_forum_id)) thread.forum = new_forum thread.save() return HttpResponseRedirect(thread.get_absolute_url())
def test_has_perm_per_object(self): """Assert has_perm checks per-object permissions correctly.""" from kitsune.forums.tests import RestrictedForumFactory f1 = RestrictedForumFactory() f2 = RestrictedForumFactory() # Give user permission to one of the forums u = UserFactory() perm = "forums_forum.view_in_forum" ct = ContentType.objects.get_for_model(f1) PermissionFactory(codename=perm, content_type=ct, object_id=f1.id, user=u) assert access.has_perm(u, perm, f1) assert not access.has_perm(u, perm, f2)
def has_perm(context, perm, obj): """ Check if the user has a permission on a specific object. Returns boolean. """ return access.has_perm(context['request'].user, perm, obj)
def has_perm(context, perm, obj): """ Check if the user has a permission on a specific object. Returns boolean. """ return access.has_perm(context['request'].user, perm, obj)
def test_admin_perm_thread(self): """Super user can do anything on any forum.""" from kitsune.forums.tests import RestrictedForumFactory f1 = RestrictedForumFactory() f2 = RestrictedForumFactory() admin = UserFactory(is_staff=True, is_superuser=True) # Loop over all forums perms and both forums perms = ('thread_edit_forum', 'thread_delete_forum', 'post_edit_forum', 'thread_sticky_forum', 'thread_locked_forum', 'post_delete_forum', 'view_in_forum') for perm in perms: for forum in [f1, f2]: assert access.has_perm(admin, 'forums_forum.' + perm, forum)
def allows_posting_by(self, user): """Return whether a user can make threads and posts in me.""" return self._allows_public_posting() or has_perm( user, "forums_forum.post_in_forum", self)
def allows_viewing_by(self, user): """Return whether a user can view me, my threads, and their posts.""" return self._allows_public_viewing() or has_perm( user, "forums_forum.view_in_forum", self)