def serve_attachment(request, path, app_label, model_name, pk):
"""
Serve media/ for authorized users only, since it can contain sensitive
information (uploaded documents)
"""
try:
model = apps.get_model(app_label, model_name)
except LookupError:
raise Http404
if not issubclass(model, mapentity_models.MapEntityMixin):
raise Http404
obj = get_object_or_404(model, pk=pk)
if not obj.is_public():
if not request.user.is_authenticated():
raise PermissionDenied
if not request.user.has_perm(get_attachment_permission('read')):
raise PermissionDenied
if not request.user.has_perm('{}.read_{}'.format(app_label, model_name)):
raise PermissionDenied
content_type, encoding = mimetypes.guess_type(path)
if settings.DEBUG:
response = static.serve(request, path, settings.MEDIA_ROOT)
else:
response = HttpResponse()
response[app_settings['SENDFILE_HTTP_HEADER']] = os.path.join(settings.MEDIA_URL_SECURE, path)
response["Content-Type"] = content_type or 'application/octet-stream'
if encoding:
response["Content-Encoding"] = encoding
if app_settings['SERVE_MEDIA_AS_ATTACHMENT']:
response['Content-Disposition'] = "attachment; filename={0}".format(
os.path.basename(path))
return response
def serve_attachment(request, path):
"""
Serve media/ for authorized users only, since it can contain sensitive
information (uploaded documents)
"""
original_path = re.sub(r'\.\d+x\d+_q\d+(_crop)?\.(jpg|png|jpeg)$', '', path, count=1, flags=re.IGNORECASE)
attachment = get_object_or_404(get_attachment_model(), attachment_file=original_path)
obj = attachment.content_object
if not issubclass(obj._meta.model, mapentity_models.MapEntityMixin):
raise Http404
if not obj.is_public():
if not request.user.is_authenticated:
raise PermissionDenied
if not request.user.has_perm(get_attachment_permission('read_attachment')):
raise PermissionDenied
if not request.user.has_perm('{}.read_{}'.format(obj._meta.app_label, obj._meta.model_name)):
raise PermissionDenied
content_type, encoding = mimetypes.guess_type(path)
if settings.DEBUG:
response = static.serve(request, path, settings.MEDIA_ROOT)
else:
response = HttpResponse()
response[app_settings['SENDFILE_HTTP_HEADER']] = os.path.join(settings.MEDIA_URL_SECURE, path)
response["Content-Type"] = content_type or 'application/octet-stream'
if encoding:
response["Content-Encoding"] = encoding
if app_settings['SERVE_MEDIA_AS_ATTACHMENT']:
response['Content-Disposition'] = "attachment; filename={0}".format(
os.path.basename(path))
return response
def delete_attachment(request, attachment_pk):
g = get_object_or_404(settings.get_attachment_model(), pk=attachment_pk)
can_delete = (
request.user.has_perm(settings.get_attachment_permission('delete_attachment_others')) or
request.user == g.creator)
if can_delete:
g.delete()
if settings.PAPERCLIP_ACTION_HISTORY_ENABLED:
LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=g.content_type.id,
object_id=g.object_id,
object_repr=force_text(g.content_object),
action_flag=CHANGE,
change_message=_('Remove attachment %s') % g.title,
)
messages.success(request, _('Your attachment was deleted.'))
else:
error_msg = _('You are not allowed to delete this attachment.')
messages.error(request, error_msg)
next_url = request.GET.get('next', '/')
return HttpResponseRedirect(next_url)
def delete_attachment(request, attachment_pk):
g = get_object_or_404(settings.get_attachment_model(), pk=attachment_pk)
can_delete = (request.user.has_perm(
settings.get_attachment_permission('delete_attachment_others'))
or request.user == g.creator)
if can_delete:
g.delete()
if settings.PAPERCLIP_ACTION_HISTORY_ENABLED:
LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=g.content_type.id,
object_id=g.object_id,
object_repr=force_text(g.content_object),
action_flag=CHANGE,
change_message=_('Remove attachment %s') % g.title,
)
messages.success(request, _('Your attachment was deleted.'))
else:
error_msg = _('You are not allowed to delete this attachment.')
messages.error(request, error_msg)
next_url = request.GET.get('next', '/')
return HttpResponseRedirect(next_url)
def serve_attachment(request, path, app_label, model_name, pk):
"""
Serve media/ for authorized users only, since it can contain sensitive
information (uploaded documents)
"""
try:
model = apps.get_model(app_label, model_name)
except LookupError:
raise Http404
if not issubclass(model, mapentity_models.MapEntityMixin):
raise Http404
obj = get_object_or_404(model, pk=pk)
if not obj.is_public():
if not request.user.is_authenticated():
raise PermissionDenied
if not request.user.has_perm(get_attachment_permission('read')):
raise PermissionDenied
if not request.user.has_perm('{}.read_{}'.format(
app_label, model_name)):
raise PermissionDenied
content_type, encoding = mimetypes.guess_type(path)
if settings.DEBUG:
response = static.serve(request, path, settings.MEDIA_ROOT)
else:
response = HttpResponse()
response[app_settings['SENDFILE_HTTP_HEADER']] = os.path.join(
settings.MEDIA_URL_SECURE, path)
response["Content-Type"] = content_type or 'application/octet-stream'
if encoding:
response["Content-Encoding"] = encoding
if app_settings['SERVE_MEDIA_AS_ATTACHMENT']:
response['Content-Disposition'] = "attachment; filename={0}".format(
os.path.basename(path))
return response
def delete_attachment_others(perms):
perm = settings.get_attachment_permission('delete_attachment_others')
return perm in perms
def change_attachment(perms):
perm = settings.get_attachment_permission('change_attachment')
return perm in perms
def add_attachment(perms):
perm = settings.get_attachment_permission('add_attachment')
return perm in perms
from django.http import HttpResponseRedirect, HttpResponse, Http404, JsonResponse
from django.apps import apps
from django.utils.encoding import force_text
from django.utils.translation import ugettext_lazy as _
from django.template import RequestContext, Template
from django.contrib.admin.models import LogEntry, CHANGE
from django.contrib.auth.decorators import permission_required
from django.contrib.contenttypes.models import ContentType
from django.contrib import messages
from paperclip import settings
from .forms import AttachmentForm
@require_POST
@permission_required(settings.get_attachment_permission('add_attachment'),
raise_exception=True)
def add_attachment(request,
app_label,
model_name,
pk,
attachment_form=AttachmentForm,
extra_context=None):
model = apps.get_model(app_label, model_name)
obj = get_object_or_404(model, pk=pk)
form = attachment_form(request, request.POST, request.FILES, object=obj)
return _handle_attachment_form(request, obj, form, _('Add attachment %s'),
_('Your attachment was uploaded.'),
extra_context)
from django.http import HttpResponseRedirect, HttpResponse, Http404, JsonResponse
from django.apps import apps
from django.utils.encoding import force_text
from django.utils.translation import ugettext_lazy as _
from django.template import RequestContext, Template
from django.contrib.admin.models import LogEntry, CHANGE
from django.contrib.auth.decorators import permission_required
from django.contrib.contenttypes.models import ContentType
from django.contrib import messages
from paperclip import settings
from .forms import AttachmentForm
@require_POST
@permission_required(settings.get_attachment_permission('add_attachment'), raise_exception=True)
def add_attachment(request, app_label, model_name, pk,
attachment_form=AttachmentForm,
extra_context=None):
model = apps.get_model(app_label, model_name)
obj = get_object_or_404(model, pk=pk)
form = attachment_form(request, request.POST, request.FILES, object=obj)
return _handle_attachment_form(request, obj, form,
_('Add attachment %s'),
_('Your attachment was uploaded.'),
extra_context)
@require_http_methods(["GET", "POST"])
@permission_required(settings.get_attachment_permission('change_attachment'), raise_exception=True)
def update_attachment(request, attachment_pk,
def delete_attachment_others(perms):
perm = settings.get_attachment_permission('delete_attachment_others')
return perm in perms
def change_attachment(perms):
perm = settings.get_attachment_permission('change_attachment')
return perm in perms
def add_attachment(perms):
perm = settings.get_attachment_permission('add_attachment')
return perm in perms
from django.http import HttpResponseRedirect, HttpResponse, Http404, JsonResponse
from django.apps import apps
from django.utils.encoding import force_text
from django.utils.translation import ugettext_lazy as _
from django.template import RequestContext, Template
from django.contrib.admin.models import LogEntry, CHANGE
from django.contrib.auth.decorators import permission_required
from django.contrib.contenttypes.models import ContentType
from django.contrib import messages
from paperclip import settings
from .forms import AttachmentForm
@require_POST
@permission_required(settings.get_attachment_permission('add'), raise_exception=True)
def add_attachment(request, app_label, model_name, pk,
attachment_form=AttachmentForm,
extra_context=None):
model = apps.get_model(app_label, model_name)
obj = get_object_or_404(model, pk=pk)
form = attachment_form(request, request.POST, request.FILES, object=obj)
return _handle_attachment_form(request, obj, form,
_('Add attachment %s'),
_('Your attachment was uploaded.'),
extra_context)
@require_http_methods(["GET", "POST"])
@permission_required(settings.get_attachment_permission('change'), raise_exception=True)
def update_attachment(request, attachment_pk,
