def user_permissions(request, id, user_id=None): """ Ajax call to update a user's permissions @param id: id of Group """ editor = request.user group = get_object_or_404(Group, id=id) if not (editor.is_superuser or editor.has_perm('admin', group)): return HttpResponseForbidden('You do not have sufficient privileges') if request.method == 'POST': form = ObjectPermissionForm(Group, request.POST) if form.is_valid(): form.update_perms() user = form.cleaned_data['user'] # send signal view_edit_user.send(sender=editor, user=user, obj=group) # return html to replace existing user row url = reverse('group-permissions', args=[id]) return render_to_response( "object_permissions/muddle/group/user_row.html", { 'object': group, 'user_detail': user, 'url': url }, context_instance=RequestContext(request)) # error in form return ajax response content = json.dumps(form.errors) return HttpResponse(content, mimetype='application/json') # render a form for an existing user only form_user = get_object_or_404(User, id=user_id) data = { 'permissions': get_user_perms(form_user, group), 'obj': group, 'user': user_id } form = ObjectPermissionForm(Group, data) return render_to_response( "object_permissions/permissions/form.html", { 'form': form, 'obj': group, 'user_id': user_id, 'url': reverse('group-permissions', args=[group.id]) }, context_instance=RequestContext(request))
def user_permissions(request, id, user_id=None): """ Ajax call to update a user's permissions @param id: id of Group """ editor = request.user group = get_object_or_404(Group, id=id) if not (editor.is_superuser or editor.has_perm("admin", group)): return HttpResponseForbidden("You do not have sufficient privileges") if request.method == "POST": form = ObjectPermissionForm(Group, request.POST) if form.is_valid(): form.update_perms() user = form.cleaned_data["user"] # send signal view_edit_user.send(sender=editor, user=user, obj=group) # return html to replace existing user row url = reverse("group-permissions", args=[id]) return render_to_response( "object_permissions/permissions/user_row.html", {"object": group, "user_detail": user, "url": url}, context_instance=RequestContext(request), ) # error in form return ajax response content = json.dumps(form.errors) return HttpResponse(content, mimetype="application/json") # render a form for an existing user only form_user = get_object_or_404(User, id=user_id) data = {"permissions": get_user_perms(form_user, group), "obj": group, "user": user_id} form = ObjectPermissionForm(Group, data) return render_to_response( "object_permissions/permissions/form.html", {"form": form, "obj": group, "user_id": user_id, "url": reverse("group-permissions", args=[group.id])}, context_instance=RequestContext(request), )
def user_permissions(request, id, user_id=None): """ Ajax call to update a user's permissions @param id: id of Group """ editor = request.user group = get_object_or_404(Group, id=id) if not (editor.is_superuser or editor.has_perm('admin', group)): return HttpResponseForbidden('You do not have sufficient privileges') if request.method == 'POST': form = ObjectPermissionForm(Group, request.POST) if form.is_valid(): form.update_perms() user = form.cleaned_data['user'] # send signal view_edit_user.send(sender=editor, user=user, obj=group) # return html to replace existing user row url = reverse('group-permissions', args=[id]) return render_to_response( "object_permissions/muddle/group/user_row.html", {'object':group, 'user_detail':user, 'url':url}, context_instance=RequestContext(request)) # error in form return ajax response content = json.dumps(form.errors) return HttpResponse(content, mimetype='application/json') # render a form for an existing user only form_user = get_object_or_404(User, id=user_id) data = {'permissions':get_user_perms(form_user, group), 'obj':group, 'user':user_id} form = ObjectPermissionForm(Group, data) return render_to_response("object_permissions/permissions/form.html", {'form':form, 'obj':group, 'user_id':user_id, 'url':reverse('group-permissions', args=[group.id])}, context_instance=RequestContext(request))
def test_view_user_permissions(self): """ Tests updating User's permissions Verifies: * anonymous user returns 403 * lack of permissions returns 403 * nonexistent cluster returns 404 * invalid user returns 404 * invalid group returns 404 * missing user and group returns error as json * GET returns html for form * If user/group has permissions no html is returned * If user/group has no permissions a json response of -1 is returned """ args = (self.cluster.slug, self.vm.hostname, self.user1.id) args_post = (self.cluster.slug, self.vm.hostname) url = "/cluster/%s/%s/permissions/user/%s" url_post = "/cluster/%s/%s/permissions/" # anonymous user response = self.c.get(url % args, follow=True) self.assertEqual(200, response.status_code) self.assertTemplateUsed(response, 'registration/login.html') # unauthorized user self.assertTrue(self.c.login(username=self.user.username, password='******')) response = self.c.get(url % args) self.assertEqual(403, response.status_code) # nonexisent cluster response = self.c.get(url % ("DOES_NOT_EXIST", self.vm.hostname, self.user1.id)) self.assertEqual(404, response.status_code) # nonexisent vm response = self.c.get(url % (self.cluster.slug, "DOES_NOT_EXIST", self.user1.id)) self.assertEqual(404, response.status_code) # valid GET authorized user (perm) grant(self.user, 'admin', self.vm) response = self.c.get(url % args) self.assertEqual(200, response.status_code) self.assertEqual('text/html; charset=utf-8', response['content-type']) self.assertTemplateUsed(response, 'object_permissions/permissions/form.html') self.user.revoke('admin', self.vm) # valid GET authorized user (cluster admin) grant(self.user, 'admin', self.cluster) response = self.c.get(url % args) self.assertEqual(200, response.status_code) self.assertEqual('text/html; charset=utf-8', response['content-type']) self.assertTemplateUsed(response, 'object_permissions/permissions/form.html') self.user.revoke('admin', self.cluster) # valid GET authorized user (superuser) self.user.is_superuser = True self.user.save() response = self.c.get(url % args) self.assertEqual(200, response.status_code) self.assertTemplateUsed(response, 'object_permissions/permissions/form.html') # invalid user response = self.c.get(url % (self.cluster.slug, self.vm.hostname, -1)) self.assertEqual(404, response.status_code) # invalid user (POST) self.user1.grant('power', self.vm) data = {'permissions': ['admin'], 'user': -1, 'obj': self.vm.pk} response = self.c.post(url_post % args_post, data) self.assertEqual('application/json', response['content-type']) self.assertNotEqual('0', response.content) # no user (POST) self.user1.grant('power', self.vm) data = {'permissions': ['admin'], 'obj': self.vm.pk} response = self.c.post(url_post % args_post, data) self.assertEqual('application/json', response['content-type']) self.assertNotEqual('0', response.content) # valid POST user has permissions self.user1.grant('power', self.vm) data = {'permissions': ['admin'], 'user': self.user1.id, 'obj': self.vm.pk} response = self.c.post(url_post % args_post, data) self.assertEqual('text/html; charset=utf-8', response['content-type']) self.assertTemplateUsed(response, 'object_permissions/permissions/user_row.html') self.assertTrue(self.user1.has_perm('admin', self.vm)) self.assertFalse(self.user1.has_perm('power', self.vm)) # valid POST user has no permissions left data = {'permissions': [], 'user': self.user1.id, 'obj': self.vm.pk} response = self.c.post(url_post % args_post, data) self.assertEqual(200, response.status_code) self.assertEqual('application/json', response['content-type']) self.assertEqual([], get_user_perms(self.user, self.vm)) self.assertEqual('"user_88"', response.content)
def view_obj_permissions(request, class_name, obj_id=None, user_id=None, group_id=None, row_template='object_permissions/permissions/object_row.html'): """ Generic view for editing permissions on an object when the user is already. Known. This is an admin only view since it is impossible to know the permission scheme for the apps that are registering properties. """ if not request.user.is_superuser: return HttpResponseForbidden('You are not authorized to view this page') try: cls = get_class(class_name) except KeyError: return HttpResponseNotFound('Class type does not exist') if request.method == 'POST': form = ObjectPermissionFormNewUsers(cls, request.POST) if form.is_valid(): data = form.cleaned_data form_user = form.cleaned_data['user'] group = form.cleaned_data['group'] edited_user = form_user if form_user else group if form.update_perms(): # send correct signal based on new or edited user if data['new']: view_add_user.send(sender=cls, editor=request.user, user=edited_user, obj=data['obj']) else: view_edit_user.send(sender=cls, editor=request.user, user=edited_user, obj=data['obj']) # return html to replace existing user row return render_to_response(row_template, {'class_name':class_name, 'obj':data['obj'], 'persona':edited_user}) else: # no permissions, send ajax response to remove object view_remove_user.send(sender=cls, editor=request.user, user=edited_user, obj=data['obj']) id = '"%s_%s"' % (class_name, obj_id) return HttpResponse(id, mimetype='application/json') # error in form return ajax response content = json.dumps(form.errors) return HttpResponse(content, mimetype='application/json') # GET - create form for editing and return as html if obj_id: obj = get_object_or_404(cls, pk=obj_id) data = {'obj':obj} if user_id: form_user = get_object_or_404(User, id=user_id) data['user'] = user_id data['permissions'] = get_user_perms(form_user, obj, False) url = reverse('user-edit-permissions', args=(user_id, class_name, obj_id)) elif group_id: group = get_object_or_404(Group, id=group_id) data['group'] = group_id data['permissions'] = get_group_perms(group, obj) url = reverse('group-edit-permissions', args=(group_id, class_name, obj_id)) else: obj = None if user_id: get_object_or_404(User, id=user_id) data={'user':user_id} url = reverse('user-add-permissions', args=(user_id, class_name)) elif group_id: get_object_or_404(Group, id=group_id) data={'group':group_id} url = reverse('group-add-permissions', args=(group_id, class_name)) form = ObjectPermissionFormNewUsers(cls, data) return render_to_response('object_permissions/permissions/form.html', {'form':form, 'obj':obj, 'user_id':user_id, 'group_id':group_id, 'url':url}, context_instance=RequestContext(request))
def view_permissions(request, obj, url, user_id=None, group_id=None, user_template='object_permissions/permissions/user_row.html', group_template='object_permissions/permissions/group_row.html' ): """ Update a User or Group permissions on an object. This is a generic view intended to be used for editing permissions on any object. It must be configured with a model and url. It may also be customized by adding custom templates or changing the pk field. @param obj: object permissions are being set on @param url: name of url being edited @param user_id: ID of User being edited @param group_id: ID of Group being edited @param user_template: template used to render user rows @param group_template: template used to render group rows """ if request.method == 'POST': form = ObjectPermissionFormNewUsers(obj.__class__, request.POST) if form.is_valid(): data = form.cleaned_data form_user = form.cleaned_data['user'] group = form.cleaned_data['group'] edited_user = form_user if form_user else group if form.update_perms(): # send correct signal based on new or edited user if data['new']: view_add_user.send(sender=obj.__class__, editor=request.user, user=edited_user, obj=obj) else: view_edit_user.send(sender=obj.__class__, editor=request.user, user=edited_user, obj=obj) # return html to replace existing user row if form_user: return render_to_response(user_template, {'object':obj, 'user_detail':form_user, 'url':url}, context_instance=RequestContext(request)) else: return render_to_response(group_template, {'object':obj, 'group':group, 'url':url}, context_instance=RequestContext(request)) else: # no permissions, send ajax response to remove user view_remove_user.send(sender=obj.__class__, editor=request.user, user=edited_user, obj=obj) id = ('"user_%d"' if form_user else '"group_%d"')%edited_user.pk return HttpResponse(id, mimetype='application/json') # error in form return ajax response content = json.dumps(form.errors) return HttpResponse(content, mimetype='application/json') if user_id: form_user = get_object_or_404(User, id=user_id) data = {'permissions':get_user_perms(form_user, obj, False), 'user':user_id, 'obj':obj} elif group_id: group = get_object_or_404(Group, id=group_id) data = {'permissions':get_group_perms(group, obj), 'group':group_id, 'obj':obj} else: data = {} form = ObjectPermissionFormNewUsers(obj.__class__, data) return render_to_response('object_permissions/permissions/form.html', {'form':form, 'obj':obj, 'user_id':user_id, 'group_id':group_id, 'url':url}, context_instance=RequestContext(request))
def has_perm(user, perm, comm): return perm in get_user_perms(user, comm)
def test_view_user_permissions(self): """ Tests updating users permissions Verifies: * anonymous user returns 403 * lack of permissions returns 403 * nonexistent cluster returns 404 * invalid user returns 404 * invalid group returns 404 * missing user and group returns error as json * GET returns html for form * If user/group has permissions no html is returned * If user/group has no permissions a json response of -1 is returned """ args = (self.cluster.slug, self.user.id) args_post = self.cluster.slug url = "/cluster/%s/permissions/user/%s" url_post = "/cluster/%s/permissions/" # anonymous user response = self.c.get(url % args, follow=True) self.assertEqual(200, response.status_code) self.assertTemplateUsed(response, 'registration/login.html') # unauthorized user self.assertTrue(self.c.login(username=self.unauthorized.username, password='******')) response = self.c.get(url % args) self.assertEqual(403, response.status_code) # nonexisent cluster response = self.c.get(url % ("DOES_NOT_EXIST", self.user.id)) self.assertEqual(404, response.status_code) # valid GET authorized user (perm) self.assertTrue(self.c.login(username=self.cluster_admin.username, password='******')) response = self.c.get(url % args) self.assertEqual(200, response.status_code) self.assertEquals('text/html; charset=utf-8', response['content-type']) self.assertTemplateUsed(response, 'object_permissions/permissions/form.html') # valid GET authorized user (superuser) self.assertTrue(self.c.login(username=self.superuser.username, password='******')) response = self.c.get(url % args) self.assertEqual(200, response.status_code) self.assertTemplateUsed(response, 'object_permissions/permissions/form.html') # invalid user response = self.c.get(url % (self.cluster.slug, -1)) self.assertEqual(404, response.status_code) # invalid user (POST) self.user.grant('create_vm', self.cluster) data = { 'permissions': ['admin'], 'user': -1, 'obj': self.cluster.pk, } response = self.c.post(url_post % args_post, data) self.assertEquals('application/json', response['content-type']) self.assertNotEqual('0', response.content) # no user (POST) # XXX double-grant? self.user.grant('create_vm', self.cluster) data = { 'permissions': ['admin'], 'obj': self.cluster.pk, } response = self.c.post(url_post % args_post, data) self.assertEquals('application/json', response['content-type']) self.assertNotEqual('0', response.content) # valid POST user has permissions # XXX triple-grant?! self.user.grant('create_vm', self.cluster) data = { 'permissions': ['admin'], 'user': self.user.id, 'obj': self.cluster.pk, } response = self.c.post(url_post % args_post, data) self.assertEquals('text/html; charset=utf-8', response['content-type']) self.assertTemplateUsed(response, 'ganeti/cluster/user_row.html') self.assertTrue(self.user.has_perm('admin', self.cluster)) self.assertFalse(self.user.has_perm('create_vm', self.cluster)) # add quota to the user user_quota = {'default': 0, 'ram': 51, 'virtual_cpus': 10, 'disk': 3000} quota = Quota(cluster=self.cluster, user=self.user.get_profile()) quota.__dict__.update(user_quota) quota.save() self.assertEqual(user_quota, self.cluster.get_quota(self.user.get_profile())) # valid POST user has no permissions left data = { 'permissions': [], 'user': self.user.id, 'obj': self.cluster.pk, } response = self.c.post(url_post % args_post, data) self.assertEqual(200, response.status_code) self.assertEquals('application/json', response['content-type']) self.assertEqual([], get_user_perms(self.user, self.cluster)) # XXX this is too hardcoded and can spuriously fail self.assertEqual('"user_2"', response.content) # quota should be deleted (and showing default) self.assertEqual( 1, self.cluster.get_quota(self.user.get_profile())['default'] ) self.assertFalse(self.user.get_profile().quotas.all().exists()) # no permissions specified - user with no quota # XXX quadra-grant!!! self.user.grant('create_vm', self.cluster) self.cluster.set_quota(self.user.get_profile(), None) data = { 'permissions': [], 'user': self.user.id, 'obj': self.cluster.pk, } response = self.c.post(url % args, data) self.assertEqual(200, response.status_code) self.assertEquals('application/json', response['content-type']) self.assertNotEqual('0', response.content) # quota should be deleted (and showing default) self.assertEqual( 1, self.cluster.get_quota(self.user.get_profile())['default'] ) self.assertFalse(self.user.get_profile().quotas.all().exists())
def test_view_user_permissions(self): """ Tests updating User's permissions Verifies: * anonymous user returns 403 * lack of permissions returns 403 * nonexistent cluster returns 404 * invalid user returns 404 * invalid group returns 404 * missing user and group returns error as json * GET returns html for form * If user/group has permissions no html is returned * If user/group has no permissions a json response of -1 is returned """ args = (self.cluster.slug, self.vm.hostname, self.user1.id) args_post = (self.cluster.slug, self.vm.hostname) url = "/cluster/%s/%s/permissions/user/%s" url_post = "/cluster/%s/%s/permissions/" # anonymous user response = self.c.get(url % args, follow=True) self.assertEqual(200, response.status_code) self.assertTemplateUsed(response, 'registration/login.html') # unauthorized user self.assertTrue( self.c.login(username=self.user.username, password='******')) response = self.c.get(url % args) self.assertEqual(403, response.status_code) # nonexisent cluster response = self.c.get( url % ("DOES_NOT_EXIST", self.vm.hostname, self.user1.id)) self.assertEqual(404, response.status_code) # nonexisent vm response = self.c.get( url % (self.cluster.slug, "DOES_NOT_EXIST", self.user1.id)) self.assertEqual(404, response.status_code) # valid GET authorized user (perm) grant(self.user, 'admin', self.vm) response = self.c.get(url % args) self.assertEqual(200, response.status_code) self.assertEqual('text/html; charset=utf-8', response['content-type']) self.assertTemplateUsed(response, 'object_permissions/permissions/form.html') self.user.revoke('admin', self.vm) # valid GET authorized user (cluster admin) grant(self.user, 'admin', self.cluster) response = self.c.get(url % args) self.assertEqual(200, response.status_code) self.assertEqual('text/html; charset=utf-8', response['content-type']) self.assertTemplateUsed(response, 'object_permissions/permissions/form.html') self.user.revoke('admin', self.cluster) # valid GET authorized user (superuser) self.user.is_superuser = True self.user.save() response = self.c.get(url % args) self.assertEqual(200, response.status_code) self.assertTemplateUsed(response, 'object_permissions/permissions/form.html') # invalid user response = self.c.get(url % (self.cluster.slug, self.vm.hostname, -1)) self.assertEqual(404, response.status_code) # invalid user (POST) self.user1.grant('power', self.vm) data = {'permissions': ['admin'], 'user': -1, 'obj': self.vm.pk} response = self.c.post(url_post % args_post, data) self.assertEqual('application/json', response['content-type']) self.assertNotEqual('0', response.content) # no user (POST) self.user1.grant('power', self.vm) data = {'permissions': ['admin'], 'obj': self.vm.pk} response = self.c.post(url_post % args_post, data) self.assertEqual('application/json', response['content-type']) self.assertNotEqual('0', response.content) # valid POST user has permissions self.user1.grant('power', self.vm) data = { 'permissions': ['admin'], 'user': self.user1.id, 'obj': self.vm.pk } response = self.c.post(url_post % args_post, data) self.assertEqual('text/html; charset=utf-8', response['content-type']) self.assertTemplateUsed( response, 'object_permissions/permissions/user_row.html') self.assertTrue(self.user1.has_perm('admin', self.vm)) self.assertFalse(self.user1.has_perm('power', self.vm)) # valid POST user has no permissions left data = {'permissions': [], 'user': self.user1.id, 'obj': self.vm.pk} response = self.c.post(url_post % args_post, data) self.assertEqual(200, response.status_code) self.assertEqual('application/json', response['content-type']) self.assertEqual([], get_user_perms(self.user, self.vm)) self.assertEqual('"user_88"', response.content)
def test_view_user_permissions(self): """ Tests updating users permissions Verifies: * anonymous user returns 403 * lack of permissions returns 403 * nonexistent cluster returns 404 * invalid user returns 404 * invalid group returns 404 * missing user and group returns error as json * GET returns html for form * If user/group has permissions no html is returned * If user/group has no permissions a json response of -1 is returned """ args = (self.cluster.slug, self.user.id) args_post = self.cluster.slug url = "/cluster/%s/permissions/user/%s" url_post = "/cluster/%s/permissions/" # anonymous user response = self.c.get(url % args, follow=True) self.assertEqual(200, response.status_code) self.assertTemplateUsed(response, 'registration/login.html') # unauthorized user self.assertTrue( self.c.login(username=self.unauthorized.username, password='******')) response = self.c.get(url % args) self.assertEqual(403, response.status_code) # nonexisent cluster response = self.c.get(url % ("DOES_NOT_EXIST", self.user.id)) self.assertEqual(404, response.status_code) # valid GET authorized user (perm) self.assertTrue( self.c.login(username=self.cluster_admin.username, password='******')) response = self.c.get(url % args) self.assertEqual(200, response.status_code) self.assertEquals('text/html; charset=utf-8', response['content-type']) self.assertTemplateUsed(response, 'object_permissions/permissions/form.html') # valid GET authorized user (superuser) self.assertTrue( self.c.login(username=self.superuser.username, password='******')) response = self.c.get(url % args) self.assertEqual(200, response.status_code) self.assertTemplateUsed(response, 'object_permissions/permissions/form.html') # invalid user response = self.c.get(url % (self.cluster.slug, -1)) self.assertEqual(404, response.status_code) # invalid user (POST) self.user.grant('create_vm', self.cluster) data = { 'permissions': ['admin'], 'user': -1, 'obj': self.cluster.pk, } response = self.c.post(url_post % args_post, data) self.assertEquals('application/json', response['content-type']) self.assertNotEqual('0', response.content) # no user (POST) # XXX double-grant? self.user.grant('create_vm', self.cluster) data = { 'permissions': ['admin'], 'obj': self.cluster.pk, } response = self.c.post(url_post % args_post, data) self.assertEquals('application/json', response['content-type']) self.assertNotEqual('0', response.content) # valid POST user has permissions # XXX triple-grant?! self.user.grant('create_vm', self.cluster) data = { 'permissions': ['admin'], 'user': self.user.id, 'obj': self.cluster.pk, } response = self.c.post(url_post % args_post, data) self.assertEquals('text/html; charset=utf-8', response['content-type']) self.assertTemplateUsed(response, 'ganeti/cluster/user_row.html') self.assertTrue(self.user.has_perm('admin', self.cluster)) self.assertFalse(self.user.has_perm('create_vm', self.cluster)) # add quota to the user user_quota = { 'default': 0, 'ram': 51, 'virtual_cpus': 10, 'disk': 3000 } quota = Quota(cluster=self.cluster, user=self.user.get_profile()) quota.__dict__.update(user_quota) quota.save() self.assertEqual(user_quota, self.cluster.get_quota(self.user.get_profile())) # valid POST user has no permissions left data = { 'permissions': [], 'user': self.user.id, 'obj': self.cluster.pk, } response = self.c.post(url_post % args_post, data) self.assertEqual(200, response.status_code) self.assertEquals('application/json', response['content-type']) self.assertEqual([], get_user_perms(self.user, self.cluster)) # XXX this is too hardcoded and can spuriously fail self.assertEqual('"user_2"', response.content) # quota should be deleted (and showing default) self.assertEqual( 1, self.cluster.get_quota(self.user.get_profile())['default']) self.assertFalse(self.user.get_profile().quotas.all().exists()) # no permissions specified - user with no quota # XXX quadra-grant!!! self.user.grant('create_vm', self.cluster) self.cluster.set_quota(self.user.get_profile(), None) data = { 'permissions': [], 'user': self.user.id, 'obj': self.cluster.pk, } response = self.c.post(url % args, data) self.assertEqual(200, response.status_code) self.assertEquals('application/json', response['content-type']) self.assertNotEqual('0', response.content) # quota should be deleted (and showing default) self.assertEqual( 1, self.cluster.get_quota(self.user.get_profile())['default']) self.assertFalse(self.user.get_profile().quotas.all().exists())
def view_obj_permissions( request, class_name, obj_id=None, user_id=None, group_id=None, row_template='object_permissions/permissions/object_row.html'): """ Generic view for editing permissions on an object when the user is already. Known. This is an admin only view since it is impossible to know the permission scheme for the apps that are registering properties. """ if not request.user.is_superuser: return HttpResponseForbidden( 'You are not authorized to view this page') try: cls = get_class(class_name) except KeyError: return HttpResponseNotFound('Class type does not exist') if request.method == 'POST': form = ObjectPermissionFormNewUsers(cls, request.POST) if form.is_valid(): data = form.cleaned_data form_user = form.cleaned_data['user'] group = form.cleaned_data['group'] edited_user = form_user if form_user else group if form.update_perms(): # send correct signal based on new or edited user if data['new']: view_add_user.send(sender=cls, editor=request.user, user=edited_user, obj=data['obj']) else: view_edit_user.send(sender=cls, editor=request.user, user=edited_user, obj=data['obj']) # return html to replace existing user row return render_to_response( row_template, { 'class_name': class_name, 'obj': data['obj'], 'persona': edited_user }) else: # no permissions, send ajax response to remove object view_remove_user.send(sender=cls, editor=request.user, user=edited_user, obj=data['obj']) id = '"%s_%s"' % (class_name, obj_id) return HttpResponse(id, mimetype='application/json') # error in form return ajax response content = json.dumps(form.errors) return HttpResponse(content, mimetype='application/json') # GET - create form for editing and return as html if obj_id: obj = get_object_or_404(cls, pk=obj_id) data = {'obj': obj} if user_id: form_user = get_object_or_404(User, id=user_id) data['user'] = user_id data['permissions'] = get_user_perms(form_user, obj, False) url = reverse('user-edit-permissions', args=(user_id, class_name, obj_id)) elif group_id: group = get_object_or_404(Group, id=group_id) data['group'] = group_id data['permissions'] = get_group_perms(group, obj) url = reverse('group-edit-permissions', args=(group_id, class_name, obj_id)) else: obj = None if user_id: get_object_or_404(User, id=user_id) data = {'user': user_id} url = reverse('user-add-permissions', args=(user_id, class_name)) elif group_id: get_object_or_404(Group, id=group_id) data = {'group': group_id} url = reverse('group-add-permissions', args=(group_id, class_name)) form = ObjectPermissionFormNewUsers(cls, data) return render_to_response('object_permissions/permissions/form.html', { 'form': form, 'obj': obj, 'user_id': user_id, 'group_id': group_id, 'url': url }, context_instance=RequestContext(request))
def view_permissions( request, obj, url, user_id=None, group_id=None, user_template='object_permissions/permissions/user_row.html', group_template='object_permissions/permissions/group_row.html'): """ Update a User or Group permissions on an object. This is a generic view intended to be used for editing permissions on any object. It must be configured with a model and url. It may also be customized by adding custom templates or changing the pk field. @param obj: object permissions are being set on @param url: name of url being edited @param user_id: ID of User being edited @param group_id: ID of Group being edited @param user_template: template used to render user rows @param group_template: template used to render group rows """ if request.method == 'POST': form = ObjectPermissionFormNewUsers(obj.__class__, request.POST) if form.is_valid(): data = form.cleaned_data form_user = form.cleaned_data['user'] group = form.cleaned_data['group'] edited_user = form_user if form_user else group if form.update_perms(): # send correct signal based on new or edited user if data['new']: view_add_user.send(sender=obj.__class__, editor=request.user, user=edited_user, obj=obj) else: view_edit_user.send(sender=obj.__class__, editor=request.user, user=edited_user, obj=obj) # return html to replace existing user row if form_user: return render_to_response( user_template, { 'object': obj, 'user_detail': form_user, 'url': url }, context_instance=RequestContext(request)) else: return render_to_response( group_template, { 'object': obj, 'group': group, 'url': url }, context_instance=RequestContext(request)) else: # no permissions, send ajax response to remove user view_remove_user.send(sender=obj.__class__, editor=request.user, user=edited_user, obj=obj) id = ('"user_%d"' if form_user else '"group_%d"') % edited_user.pk return HttpResponse(id, mimetype='application/json') # error in form return ajax response content = json.dumps(form.errors) return HttpResponse(content, mimetype='application/json') if user_id: form_user = get_object_or_404(User, id=user_id) data = { 'permissions': get_user_perms(form_user, obj, False), 'user': user_id, 'obj': obj } elif group_id: group = get_object_or_404(Group, id=group_id) data = { 'permissions': get_group_perms(group, obj), 'group': group_id, 'obj': obj } else: data = {} form = ObjectPermissionFormNewUsers(obj.__class__, data) return render_to_response('object_permissions/permissions/form.html', { 'form': form, 'obj': obj, 'user_id': user_id, 'group_id': group_id, 'url': url }, context_instance=RequestContext(request))
def has_perm(user, perm, proj): return perm in get_user_perms(user, proj)