def check_ownership(self, request, require_owner, require_author, ignore_disabled, admin): """ Used by acl.check_ownership to see if request.user has permissions for the collection. """ return acl.check_collection_ownership(request, self, require_owner)
def wrapper(request, username, slug, *args, **kw): collection = get_collection(request, username, slug) if acl.check_collection_ownership(request, collection, require_owner=require_owner): return func(request, collection, username, slug, *args, **kw) else: return http.HttpResponseForbidden()
def get_object(self, request, username, slug): self.request = request c = views.get_collection(request, username, slug) if not (c.listed or acl.check_collection_ownership(request, c)): # 403 can't be raised as an exception. raise http.Http404() return c
def collection_detail_json(request, username, slug): c = get_collection(request, username, slug) if not (c.listed or acl.check_collection_ownership(request, c)): raise PermissionDenied # We evaluate the QuerySet with `list` to work around bug 866454. addons_dict = [addon_to_dict(a) for a in list(c.addons.valid())] return {"name": c.name, "url": c.get_abs_url(), "iconUrl": c.icon_url, "addons": addons_dict}
def wrapper(request, username, slug, *args, **kw): collection = get_collection(request, username, slug) if acl.check_collection_ownership(request, collection, require_owner=require_owner): return func(request, collection, username, slug, *args, **kw) else: raise PermissionDenied
def wrapper(request, username, slug, *args, **kw): collection = get_object_or_404(Collection, author__nickname=username, slug=slug) if acl.check_collection_ownership(request, collection, require_owner=require_owner): return func(request, collection, username, slug, *args, **kw) else: return http.HttpResponseForbidden( _("This is not the collection you are looking for."))
def collection_detail_json(request, username, slug): c = get_collection(request, username, slug) if not (c.listed or acl.check_collection_ownership(request, c)): raise PermissionDenied addons_dict = [addon_to_dict(a) for a in c.addons.valid()] return { 'name': c.name, 'url': c.get_abs_url(), 'iconUrl': c.icon_url, 'addons': addons_dict }
def collection_detail_json(request, username, slug): c = get_collection(request, username, slug) if not (c.listed or acl.check_collection_ownership(request, c)): raise PermissionDenied # We evaluate the QuerySet with `list` to work around bug 866454. addons_dict = [addon_to_dict(a) for a in list(c.addons.valid())] return { 'name': c.name, 'url': c.get_abs_url(), 'iconUrl': c.icon_url, 'addons': addons_dict }
def collection_detail_json(request, username, slug): c = get_collection(request, username, slug) if not (c.listed or acl.check_collection_ownership(request, c)): return http.HttpResponseForbidden() addons = c.addons.valid() addons_dict = [addon_to_dict(a) for a in addons] d = {'name': c.name, 'url': c.get_abs_url(), 'iconUrl': c.icon_url, 'addons': addons_dict, } return d
def collection_detail(request, username, slug): c = get_collection(request, username, slug) if not c.listed: if not request.user.is_authenticated(): return redirect_for_login(request) if not acl.check_collection_ownership(request, c): raise PermissionDenied if request.GET.get('format') == 'rss': return http.HttpResponsePermanentRedirect(c.feed_url()) base = Addon.objects.valid() & c.addons.all() filter = CollectionAddonFilter(request, base, key='sort', default='popular') notes = get_notes(c) # Go directly to CollectionAddon for the count to avoid joins. count = CollectionAddon.objects.filter(Addon.objects.valid_q( amo.VALID_STATUSES, prefix='addon__'), collection=c.id) addons = paginate(request, filter.qs, per_page=15, count=count.count()) # The add-on query is not related to the collection, so we need to manually # hook them up for invalidation. Bonus: count invalidation. keys = [addons.object_list.flush_key(), count.flush_key()] caching.invalidator.add_to_flush_list({c.flush_key(): keys}) if c.author_id: qs = Collection.objects.listed().filter(author=c.author) others = amo.utils.randslice(qs, limit=4, exclude=c.id) else: others = [] # `perms` is defined in django.contrib.auth.context_processors. Gotcha! user_perms = { 'view_stats': acl.check_ownership(request, c, require_owner=False), } tags = Tag.objects.filter(id__in=c.top_tags) if c.top_tags else [] return render_cat( request, 'bandwagon/collection_detail.html', { 'collection': c, 'filter': filter, 'addons': addons, 'notes': notes, 'author_collections': others, 'tags': tags, 'user_perms': user_perms })
def collection_detail_json(request, username, slug): c = get_collection(request, username, slug) if not (c.listed or acl.check_collection_ownership(request, c)): return http.HttpResponseForbidden() addons = c.addons.valid() addons_dict = [addon_to_dict(a) for a in addons] d = { 'name': c.name, 'url': c.get_abs_url(), 'iconUrl': c.icon_url, 'addons': addons_dict, } return d
def change_addon(request, collection, action): if not acl.check_collection_ownership(request, collection): raise PermissionDenied try: addon = get_object_or_404(Addon.objects, pk=request.POST["addon_id"]) except (ValueError, KeyError): return http.HttpResponseBadRequest() getattr(collection, action + "_addon")(addon) log.info(u"%s: %s %s to collection %s" % (request.amo_user, action, addon.id, collection.id)) if request.is_ajax(): url = "%s?addon_id=%s" % (reverse("collections.ajax_list"), addon.id) else: url = collection.get_url_path() return http.HttpResponseRedirect(url)
def collection_detail(request, username, slug): c = get_collection(request, username, slug) if not c.listed: if not request.user.is_authenticated(): return redirect_for_login(request) if not acl.check_collection_ownership(request, c): raise PermissionDenied if request.GET.get("format") == "rss": return http.HttpResponsePermanentRedirect(c.feed_url()) base = Addon.objects.valid() & c.addons.all() filter = CollectionAddonFilter(request, base, key="sort", default="popular") notes = get_notes(c) # Go directly to CollectionAddon for the count to avoid joins. count = CollectionAddon.objects.filter(Addon.objects.valid_q(amo.VALID_STATUSES, prefix="addon__"), collection=c.id) addons = paginate(request, filter.qs, per_page=15, count=count.count()) # The add-on query is not related to the collection, so we need to manually # hook them up for invalidation. Bonus: count invalidation. keys = [addons.object_list.flush_key(), count.flush_key()] caching.invalidator.add_to_flush_list({c.flush_key(): keys}) if c.author_id: qs = Collection.objects.listed().filter(author=c.author) others = amo.utils.randslice(qs, limit=4, exclude=c.id) else: others = [] # `perms` is defined in django.contrib.auth.context_processors. Gotcha! user_perms = {"view_stats": acl.check_ownership(request, c, require_owner=False)} tags = Tag.objects.filter(id__in=c.top_tags) if c.top_tags else [] return render( request, "bandwagon/collection_detail.html", { "collection": c, "filter": filter, "addons": addons, "notes": notes, "author_collections": others, "tags": tags, "user_perms": user_perms, }, )
def change_addon(request, collection, action): if not acl.check_collection_ownership(request, collection): return http.HttpResponseForbidden() try: addon = get_object_or_404(Addon.objects, pk=request.POST['addon_id']) except (ValueError, KeyError): return http.HttpResponseBadRequest() getattr(collection, action + '_addon')(addon) log.info(u'%s: %s %s to collection %s' % (request.amo_user, action, addon.id, collection.id)) if request.is_ajax(): url = '%s?addon_id=%s' % (reverse('collections.ajax_list'), addon.id) else: url = collection.get_url_path() return redirect(url)
def delete(request, username, slug): collection = get_object_or_404(Collection, author__username=username, slug=slug) if not acl.check_collection_ownership(request, collection, True): log.info(u"%s is trying to delete collection %s" % (request.amo_user, collection.id)) raise PermissionDenied data = dict(collection=collection, username=username, slug=slug) if request.method == "POST": if request.POST["sure"] == "1": collection.delete() log.info(u"%s deleted collection %s" % (request.amo_user, collection.id)) url = reverse("collections.user", args=[username]) return http.HttpResponseRedirect(url) else: return http.HttpResponseRedirect(collection.get_url_path()) return render(request, "bandwagon/delete.html", data)
def collection_detail(request, username, slug): c = get_collection(request, username, slug) if not (c.listed or acl.check_collection_ownership(request, c)): return http.HttpResponseForbidden() if request.GET.get('format') == 'rss': return redirect(c.feed_url(), permanent=True) base = Addon.objects.valid() & c.addons.all() filter = CollectionAddonFilter(request, base, key='sort', default='popular') notes = get_notes(c) # Go directly to CollectionAddon for the count to avoid joins. count = CollectionAddon.objects.filter( Addon.objects.valid_q(amo.VALID_STATUSES, prefix='addon__'), collection=c.id) addons = paginate(request, filter.qs, per_page=15, count=count.count()) # The add-on query is not related to the collection, so we need to manually # hook them up for invalidation. Bonus: count invalidation. keys = [addons.object_list.flush_key(), count.flush_key()] caching.invalidator.add_to_flush_list({c.flush_key(): keys}) if c.author_id: qs = Collection.objects.listed().filter(author=c.author) others = amo.utils.randslice(qs, limit=4, exclude=c.id) else: others = [] # `perms` is defined in django.contrib.auth.context_processors. Gotcha! user_perms = { 'view_stats': acl.check_ownership(request, c, require_owner=False), } tags = Tag.objects.filter(id__in=c.top_tags) if c.top_tags else [] return render(request, 'bandwagon/collection_detail.html', {'collection': c, 'filter': filter, 'addons': addons, 'notes': notes, 'author_collections': others, 'tags': tags, 'user_perms': user_perms})
def delete(request, username, slug): collection = get_object_or_404(Collection, author__username=username, slug=slug) if not acl.check_collection_ownership(request, collection, True): log.info(u'%s is trying to delete collection %s' % (request.amo_user, collection.id)) return http.HttpResponseForbidden() data = dict(collection=collection, username=username, slug=slug) if request.method == 'POST': if request.POST['sure'] == '1': collection.delete() log.info(u'%s deleted collection %s' % (request.amo_user, collection.id)) url = reverse('collections.user', args=[username]) return http.HttpResponseRedirect(url) else: return http.HttpResponseRedirect(collection.get_url_path()) return render(request, 'bandwagon/delete.html', data)