def post(self, request, *args, **kwargs):
if not self.model:
raise ImproperlyConfigured(
'No model class is set for the pseudo-abstract view DeleteElementView.'
)
element_ids = request.POST.getlist('element_ids[]', [])
if not (element_ids or self.group):
return HttpResponseBadRequest(
'Missing POST fields for this request.')
successful_ids = []
for element_id in element_ids:
element = get_object_or_None(self.model,
id=element_id,
group=self.group)
# check write permission on element
if not check_object_write_access(element, request.user):
continue
if self.delete_element(element):
successful_ids.append(element_id)
data = {
'had_errors': len(successful_ids) != len(element_ids),
'successful_ids': successful_ids,
}
return JsonResponse(data)
def save_widget_config(request):
""" Save-endpoint WidgetConfig priorities for dashboard widget rearranging """
user = request.user
if not user.is_authenticated:
return HttpResponseForbidden()
if not request.is_ajax() or not request.method == 'POST':
return HttpResponseNotAllowed(['POST'])
import json
widgets = json.loads(request.POST.get('widget_data'))
for widget_id, props in list(widgets.items()):
if 'priority' in props:
try:
wc = WidgetConfig.objects.get(id=int(widget_id))
if (wc.group and check_object_write_access(wc.group, user)) or \
(wc.user and wc.user.id == user.id):
wc.sort_field = props.get('priority')
wc.save()
except WidgetConfig.DoesNotExist:
pass
messages.info(request, _('Your changes have been saved.'))
return JsonResponse({'status': 'ok'}, safe=False)
def wrapper(self, request, *args, **kwargs):
url_kwarg = group_url_kwarg or getattr(self, 'group_url_kwarg',
'group')
attr = group_attr or getattr(self, 'group_attr', 'group')
group_name = kwargs.get(url_kwarg, None)
if not group_name:
return HttpResponseNotFound(_("No team provided"))
group = get_group_for_request(group_name, request)
user = request.user
deactivated_app_error = _check_deactivated_app_access(
self, group, request)
if deactivated_app_error:
return deactivated_app_error
if not user.is_authenticated:
return redirect_to_not_logged_in(request,
view=self,
group=group)
if check_object_write_access(group, user):
setattr(self, attr, group)
return function(self, request, *args, **kwargs)
# Access denied, redirect to 403 page and and display an error message
return redirect_to_403(request, self, group=group)
def has_write_access(user, obj):
"""
Template filter to check if a user can edit/update/delete an object
(either CosinnusGroup or BaseTaggableObject).
If a CosinnusGroup is supplied, this will check if the user is a group admin or a site admin.
This factors in all aspects of superusers and group memberships.
"""
return check_object_write_access(obj, user)
def dispatch(self, request, *args, **kwargs):
""" Assure write access to group """
group_name = kwargs.get(self.group_url_kwarg, None)
group = get_group_for_request(group_name, request)
self.group = group
if (check_object_write_access(self.group, request.user)):
return super(GroupMicrosite,
self).dispatch(request, *args, **kwargs)
# Access denied, redirect to 403 page and and display an error message
return redirect_to_403(request)
def delete(self, request, *args, **kwargs):
todolist = self.get_object()
list_todos = todolist.todos.all()
if not all([
check_object_write_access(todo, request.user)
for todo in list_todos
]):
messages.error(
request,
_('You cannot delete this folder because you do not have permission to delete one or more items it contains!'
))
return HttpResponseRedirect(todolist.get_absolute_url())
return super(TodoListDeleteView, self).delete(request, *args, **kwargs)
def wrapper(self, request, *args, **kwargs):
url_kwarg = group_url_kwarg or getattr(self, 'group_url_kwarg',
'group')
attr = group_attr or getattr(self, 'group_attr', 'group')
group_name = kwargs.get(url_kwarg, None)
if not group_name:
return HttpResponseNotFound(_("No team provided"))
group = get_group_for_request(group_name, request)
user = request.user
# set the group attr
setattr(self, attr, group)
# catch anyonymous users trying to naviagte to private groups (else self.get_object() throws a Http404!)
if not group.public and not user.is_authenticated:
return redirect_to_not_logged_in(request,
view=self,
group=group)
deactivated_app_error = _check_deactivated_app_access(
self, group, request)
if deactivated_app_error:
return deactivated_app_error
requested_object = None
try:
requested_object = self.get_object()
except (AttributeError, TypeError):
pass
# objects can never be written by non-logged in members
if not user.is_authenticated:
return redirect_to_not_logged_in(request,
view=self,
group=group)
if requested_object:
# editing/deleting an object, check if we are owner or staff member or group admin or site admin
if check_object_write_access(requested_object, user):
return function(self, request, *args, **kwargs)
else:
# creating a new object, check if we can create objects in the group
if check_group_create_objects_access(group, user):
return function(self, request, *args, **kwargs)
# Access denied, redirect to 403 page and and display an error message
return redirect_to_403(request, self, group=group)
def wrapper(request, *args, **kwargs):
group_name = kwargs.get(group_url_arg, None)
if not group_name:
return HttpResponseNotFound(_("No team provided"))
group = get_group_for_request(group_name, request)
user = request.user
if not user.is_authenticated:
return redirect_to_not_logged_in(request, view=self, group=group)
if check_object_write_access(group, user):
kwargs['group'] = group
return function(request, *args, **kwargs)
# Access denied, redirect to 403 page and and display an error message
return redirect_to_403(request, self, group=group)
def dispatch(self, request, *args, **kwargs):
""" Only allow owners to see inactive offers """
try:
self.group = get_group_for_request(kwargs.get('group'), request)
offer = self.get_object()
if not offer.is_active and not check_object_write_access(
offer, request.user):
messages.error(
request,
_('The offer you requested is no longer active. Sorry!'))
return redirect(
group_aware_reverse('cosinnus:marketplace:list',
kwargs={'group': self.group}))
return super(OfferDetailView,
self).dispatch(request, *args, **kwargs)
except CosinnusPermissionDeniedException:
return redirect_to_not_logged_in(request, view=self)
def wrapper(self, request, *args, **kwargs):
user = request.user
# catch anyonymous users trying to naviagte here
if not user.is_authenticated:
return redirect_to_not_logged_in(request, view=self)
requested_object = None
try:
requested_object = self.get_object()
except (AttributeError, TypeError):
pass
if requested_object:
# editing/deleting an object, check if we are owner or staff member or group admin or site admin
if check_object_write_access(requested_object, user):
return function(self, request, *args, **kwargs)
# Access denied, redirect to 403 page and and display an error message
return redirect_to_403(request, self)
def _delete_object(self, obj, request):
"""
Sanity check: only delete a container if it is empty
(there should only be one object (the container itself) with the
path, because we have deleted all its objects before it!
Returns 1 if given object could be deleted, 0 otherwise. That's handy
for accumulating the sum of deleted objects
"""
if obj.is_container:
container_objects = self._get_objects_in_path(obj.path)
if len(container_objects) > 1:
msg = _(
'Container "%(title)s" could not be deleted because it contained objects that could not be deleted.'
) % {
'title': obj.title,
}
messages.error(request, msg)
return 0
if not check_object_write_access(obj, request.user):
messages.error(
request,
_('You do not have permissions to delete "%(title)s".') %
{'title': obj.title})
return 0
deleted_pk = obj.pk
obj.delete()
# check if deletion was successful
try:
check_obj = self.model.objects.get(pk=deleted_pk)
msg = _('Object "%(title)s" could not be deleted.') % {
'title': check_obj.title,
}
messages.error(request, msg)
return 0
except self.model.DoesNotExist:
return 1
def entry_toggle_complete_me_view_api(request, pk, group):
"""
Logs the user specified by the `authentication_form` in.
"""
if request.method == "POST":
# TODO: Django<=1.5: Django 1.6 removed the cookie check in favor of CSRF
request.session.set_test_cookie()
pk = request.POST.get('pk')
is_completed = request.POST.get('is_completed')
instance = get_object_or_404(TodoEntry, pk=pk)
if not check_object_write_access(instance, request.user):
return JSONResponse(
'You do not have the necessary permissions to modify this object!',
status=403)
if is_completed == "true":
instance.completed_by = request.user
instance.completed_date = now()
if instance.completed_by != instance.creator:
sender = instance
sender.request = request
cosinnus_notifications.user_completed_my_todo.send(
sender=sender,
user=instance.completed_by,
obj=instance,
audience=[instance.creator])
else:
instance.completed_by = None
instance.completed_date = None
instance.save()
return JSONResponse({
'status': 'success',
'is_completed': instance.is_completed
})
def grant_extra_write_permissions(self, user, fields=None):
return check_object_write_access(self.group, user)
def check_write_permissions(self, obj, user, **kwargs):
""" Permissions check if ``user`` may modify ``obj``.
It is highly recommended to override this method!
"""
return check_object_write_access(obj, user, **kwargs)
