class TestCommentAccess(DatabaseTestCase):
def setUp(self):
self.manager = AccessManager()
users_usual(self)
table_simple(self)
comment_simple(self)
super(TestCommentAccess, self).setUp()
def test_any_logged_user_can_comment(self):
self.assert_true(self.manager.has_comment_create(
user = self.user_tester,
table = self.table,
))
def test_table_owner_can_delete_comment(self):
self.assert_true(self.manager.has_comment_delete(
user = self.user_tester,
comment = self.comment_doe,
))
def test_common_user_cannot_delete_comment(self):
self.assert_false(self.manager.has_comment_delete(
user = self.user_john_doe,
comment = self.comment_owner,
))
def setUp(self):
self.manager = AccessManager()
users_usual(self)
table_simple(self)
comment_simple(self)
super(TestCommentAccess, self).setUp()
def setUp(self):
self.manager = AccessManager()
users_usual(self)
user_super(self)
table_simple(self)
comment_simple(self)
super(TestAccessHandling, self).setUp()
class TestAccessHandling(DatabaseTestCase):
def setUp(self):
self.manager = AccessManager()
users_usual(self)
user_super(self)
table_simple(self)
comment_simple(self)
super(TestAccessHandling, self).setUp()
def test_missing_context(self):
self.assert_raises(InsufficientContextError, self.manager.has_comment_create)
def test_superuser_always_privileged(self):
self.manager.update_context({
"table" : self.table,
"category" : self.category,
"user" : self.user_super,
})
self.assert_true(self.manager.has_comment_create())
self.assert_true(self.manager.has_comment_delete(comment=self.comment_doe))
self.assert_true(self.manager.has_table_read())
def table(request, category, table):
category = get_object_or_404(Category, slug=category)
table = get_object_or_404(Table, slug=table)
access_manager = AccessManager(context={
"user" : request.user,
"table" : table,
"category" : category,
})
comment_forms = None
form = None
if not access_manager.has_table_read():
c = RequestContext(request, {
"message" : "You have not enough privileges to read this table."
})
t = loader.get_template("esus/forbidden.html")
return HttpResponseForbidden(t.render(c))
#return HttpResponseForbidden(_("You have not enough privileges to read this table."))
if request.method == "POST":
# TODO: Abstract this logic into something more sensible, some kind of
# action dispatcher would be nice
if request.POST.has_key(u"Odeslat"):
form = CommentCreationForm(request.POST)
if form.is_valid():
# posting new message
if not access_manager.has_comment_create():
return HttpResponseForbidden()
table.add_comment(
text = form.cleaned_data['text'],
author = request.user,
)
#TODO: Redirect to self avoid multiple posts
form = CommentCreationForm()
elif request.POST.has_key(u'control-action') \
and request.POST[u'control-action']:
comment_forms = formset_factory(CommentControlForm, can_delete=True)(request.POST)
if comment_forms.is_valid():
for comm_form in comment_forms.deleted_forms:
comment = Comment.objects.get(pk=comm_form.cleaned_data['pk'])
if access_manager.has_comment_delete(comment=comment):
comment.delete()
else:
#TODO: Display message or pass silently?
pass
comment_forms = None
comments = Comment.objects.filter(table=table).order_by('-date')
if not comment_forms:
comment_forms = formset_factory(CommentControlForm, can_delete=True)(
initial = [
{'pk' : comment.pk} for comment in comments
]
)
if not form:
form = CommentCreationForm()
return direct_to_template(request, "esus/table.html", {
"category" : category,
"table" : table,
"form" : form,
"formset" : comment_forms,
"comments" : zip(comments, comment_forms.forms),
'access' : access_manager,
})
def table_settings_access(request, category, table):
category = get_object_or_404(Category, slug=category)
table = get_object_or_404(Table, slug=table)
access_manager = AccessManager(context={
"user" : request.user,
"table" : table,
"category" : category,
})
if not access_manager.has_table_access_modify():
return HttpResponseForbidden()
new_user_form = None
users_form = None
if request.method == "POST":
# found a better way to dispatch, as for table
if request.POST.has_key(u"new_user_form"):
new_user_form = NewUserForm(request.POST)
if new_user_form.is_valid():
#FIXME
user = User.objects.get(username=new_user_form.cleaned_data['username'])
if len(TableAccess.objects.filter(table=table, user=user)) == 0:
table.add_user_access(
user = user,
)
new_user_form = None
elif request.POST.has_key(u"users_form"):
users_form = formset_factory(TableAccessForm, can_delete=True, extra=0)(request.POST)
if users_form.is_valid():
try:
for access_form in users_form.deleted_forms:
TableAccess.objects.get(
user = User.objects.get(username=access_form.cleaned_data['username']),
table = table
).delete()
for access_form in users_form.forms:
access = TableAccess.objects.get(
user = User.objects.get(username=access_form.cleaned_data['username']),
table = table
)
access.access_type = TableAccessManager.compute_named_access(
access_form.get_access_names()
)
access.save()
except (TableAccess.DoesNotExist, User.DoesNotExist):
raise ValueError(access_form.cleaned_data['username'])
users_form = None
public_form = PublicTableAccessForm({
'is_public' : table.is_public,
'can_read' : True,
'can_write' : True,
})
users_form = formset_factory(TableAccessForm, can_delete=True, extra=0)(
initial = [
{
"username" : access.user.username,
"can_read" : access.can_read(),
"can_write" : access.can_write(),
"can_delete" : access.can_delete(),
}
for access in table.get_special_accesses()
]
)
if not new_user_form:
new_user_form = NewUserForm()
return direct_to_template(request, "esus/table_access.html", {
"category" : category,
"table" : table,
"public_form" : public_form,
"users_form" : users_form,
"new_user_form" : new_user_form,
'access' : access_manager,
})
def table(request, category, table, from_pk=None, page_number=None):
category = get_object_or_404(Category, slug=category)
table = get_object_or_404(Table, slug=table)
try:
page_number = int(page_number)
except TypeError:
page_number = 1
access_manager = AccessManager(context={"user": request.user, "table": table, "category": category})
comment_forms = None
form = None
if not access_manager.has_table_read():
c = RequestContext(request, {"message": "You have not enough privileges to read this table."})
t = loader.get_template("esus/forbidden.html")
return HttpResponseForbidden(t.render(c))
# return HttpResponseForbidden(_("You have not enough privileges to read this table."))
if request.method == "POST":
# TODO: Abstract this logic into something more sensible, some kind of
# action dispatcher would be nice
if request.POST.has_key(u"odeslat"):
form = CommentCreationForm(request.POST)
if form.is_valid():
# posting new message
if not access_manager.has_comment_create():
return HttpResponseForbidden()
table.add_comment(text=form.cleaned_data["text"], author=request.user)
return HttpResponseRedirect(
reverse("esus-phorum-table", kwargs={"category": category.slug, "table": table.slug})
)
form = CommentCreationForm()
elif request.POST.has_key(u"control-action") and request.POST[u"control-action"]:
comment_forms = formset_factory(CommentControlForm, can_delete=True)(request.POST)
if comment_forms.is_valid():
for comm_form in comment_forms.deleted_forms:
comment = Comment.objects.get(pk=comm_form.cleaned_data["pk"])
if access_manager.has_comment_delete(comment=comment):
comment.delete()
else:
# TODO: Display message or pass silently?
pass
comment_forms = None
# skip is costly, so pagination is done via range query trick
# we could either depend on timestap not containing duplicities or on the
# fact that ID is always-increasing positive integer.
# because so many things in Django rely on PositiveIntegerField, I'd go for it;
# when we switch to non-RDBMS backend, those strategies shall be reversed.
# To be stateless, URI must also contain of the next_page as well as "page number"
# parameter
on_page = getattr(settings, "ESUS_DEFAULT_COMMENTS_ON_PAGE", 10)
# list() querysets directly to support negative indexing fun, and we're
# zipping it later in memory anyway
if not from_pk:
comments = list(Comment.objects.filter(table=table).order_by("-date")[: on_page + 1])
else:
comments = list(Comment.objects.filter(table=table, id__lte=from_pk).order_by("-date")[: on_page + 1])
if len(comments) > on_page:
next_page_pk = comments[-1:][0].pk
comments = comments[:-1]
else:
next_page_pk = None
if request.is_ajax():
return serialize({"comments": comments, "page_number": str(page_number), "next_page_pk": next_page_pk})
if not comment_forms:
comment_forms = formset_factory(CommentControlForm, can_delete=True)(
initial=[{"pk": comment.pk} for comment in comments]
)
if not form:
form = CommentCreationForm()
return direct_to_template(
request,
"esus/table.html",
{
"category": category,
"table": table,
"form": form,
"formset": comment_forms,
"comments": zip(comments, comment_forms.forms),
"access": access_manager,
"next_page_pk": next_page_pk,
"page_number": page_number,
"next_page_number": page_number + 1,
},
)
