def move_thread(request, forum_slug, thread_id):
"""Move a thread."""
forum = get_object_or_404(Forum, slug=forum_slug)
thread = get_object_or_404(Thread, pk=thread_id, forum=forum)
user = request.user
new_forum_id = request.POST.get('forum')
new_forum = get_object_or_404(Forum, id=new_forum_id)
# Don't admit that unviewable forums exist or allow escalation of privs by
# moving things to a looser forum:
if not (forum.allows_viewing_by(user) and
new_forum.allows_viewing_by(user)):
raise Http404
# Don't allow the equivalent of posting here by posting elsewhere then
# moving:
if not new_forum.allows_posting_by(user):
raise PermissionDenied
if not (has_perm(user, 'forums_forum.thread_move_forum', new_forum) and
has_perm(user, 'forums_forum.thread_move_forum', forum)):
raise PermissionDenied
log.warning('User %s is moving thread with id=%s to forum with id=%s' %
(user, thread.id, new_forum_id))
thread.forum = new_forum
thread.save()
return HttpResponseRedirect(thread.get_absolute_url())
def has_perm(context, perm, obj):
"""
Check if the user has a permission on a specific object.
Returns boolean.
"""
return access.has_perm(context['request'].user, perm, obj)
def test_admin_perm_thread(self):
"""Super user can do anything on any forum."""
admin = User.objects.get(pk=1)
# Loop over all forums perms and both forums
perms = ('thread_edit_forum', 'thread_delete_forum', 'post_edit_forum',
'thread_sticky_forum', 'thread_locked_forum',
'post_delete_forum')
forums = (self.forum_1, self.forum_2)
for perm in perms:
for forum in forums:
assert access.has_perm(admin, 'forums_forum.' + perm, forum)
def test_admin_perm_thread(self):
"""Super user can do anything on any forum."""
admin = User.objects.get(pk=1)
# Loop over all forums perms and both forums
perms = ('thread_edit_forum', 'thread_delete_forum', 'post_edit_forum',
'thread_sticky_forum', 'thread_locked_forum',
'post_delete_forum')
forums = (self.forum_1, self.forum_2)
for perm in perms:
for forum in forums:
assert access.has_perm(admin, 'forums_forum.' + perm, forum)
def allows_posting_by(self, user):
"""Return whether a user can make threads and posts in me."""
return (self._allows_public_posting() or
has_perm(user, 'forums_forum.post_in_forum', self))
def allows_viewing_by(self, user):
"""Return whether a user can view me, my threads, and their posts."""
return (self._allows_public_viewing() or
has_perm(user, 'forums_forum.view_in_forum', self))
def allows_posting_by(self, user):
"""Return whether a user can make threads and posts in me."""
return (self._allows_public_posting()
or has_perm(user, 'forums_forum.post_in_forum', self))
def allows_viewing_by(self, user):
"""Return whether a user can view me, my threads, and their posts."""
return (self._allows_public_viewing()
or has_perm(user, 'forums_forum.view_in_forum', self))
def test_has_perm_per_object(self):
"""Assert has_perm checks per-object permissions correctly."""
user = User.objects.get(pk=47963)
perm = 'forums_forum.thread_edit_forum'
assert access.has_perm(user, perm, self.forum_1)
assert not access.has_perm(user, perm, self.forum_2)
def test_has_perm_per_object(self):
"""Assert has_perm checks per-object permissions correctly."""
user = User.objects.get(pk=47963)
perm = 'forums_forum.thread_edit_forum'
assert access.has_perm(user, perm, self.forum_1)
assert not access.has_perm(user, perm, self.forum_2)
