Esempio n. 1
0
def server(request, attachment, thumb=False):
    try:
        attachment = Attachment.objects.select_related('forum', 'thread', 'post', 'user').get(hash_id=attachment)
        if attachment.forum:
            request.acl.forums.allow_forum_view(attachment.forum)
        if attachment.thread:
            request.acl.threads.allow_thread_view(request.user, attachment.thread)
            if attachment.forum.special == 'private_threads':
                if not request.user.is_authenticated():
                    raise ACLError404()
                can_see_thread_because_reported = (
                    request.acl.private_threads.is_mod() and attachment.thread.replies_reported)
                can_see_thread_because_participates = request.user in attachment.thread.participants.all()
                if not (can_see_thread_because_reported or can_see_thread_because_participates):
                    raise ACLError404()
            if attachment.post:
                request.acl.threads.allow_post_view(request.user, attachment.thread, attachment.post)
                request.acl.threads.allow_attachment_download(request.user, attachment.forum, attachment.post)
        return serve_file(attachment, thumb)
    except ACLError403:
        if attachment.is_image:
            return serve_403_image()
        return error403(request,  _("You don't have permission to download this file."))
    except (Attachment.DoesNotExist, ACLError404):
        if thumb:
            return serve_404_image()
        return error404(request, _("Requested file could not be found."))
Esempio n. 2
0
 def allow_deleted_post_view(self, forum):
     try:
         forum_role = self.acl[forum.pk]
         if not forum_role['can_delete_posts']:
             raise ACLError404()
     except KeyError:
         raise ACLError404()
Esempio n. 3
0
 def allow_thread_view(self, user, thread):
     try:
         forum_role = self.acl[thread.forum_id]
         if forum_role['can_read_threads'] == 0:
             raise ACLError403(_("You don't have permission to read threads in this forum."))
         if forum_role['can_read_threads'] == 1 and thread.weight < 2 and thread.start_poster_id != user.id:
             raise ACLError404()
         if thread.moderated and not (forum_role['can_approve'] or (user.is_authenticated() and user == thread.start_poster)):
             raise ACLError404()
         if thread.deleted and not forum_role['can_delete_threads']:
             raise ACLError404()
     except KeyError:
         raise ACLError403(_("You don't have permission to read threads in this forum."))
Esempio n. 4
0
    def make_query(self, search_data):
        try:
            sqs = MisagoSearchQuerySet(self.request.user, self.request.acl)
            if self.search_route == 'search_private_threads':
                sqs.allow_forum_search(
                    Forum.objects.special_model('private_threads'))
            elif self.search_route == 'search_reports':
                sqs.allow_forum_search(Forum.objects.special_model('reports'))
            else:
                if search_data.get('search_forums'):
                    if search_data.get('search_forums_childs'):
                        Forum.objects.populate_tree()
                        forums_tree = Forum.objects.forums_tree
                        readable_forums = Forum.objects.readable_forums(
                            self.request.acl)

                        ranges = []
                        for forum in search_data.get('search_forums'):
                            if not ranges or ranges[-1][1] < forum.rght:
                                ranges.append((forum.lft, forum.rght))

                        forums = []
                        for rang in ranges:
                            for pk, forum in forums_tree.items():
                                if pk in readable_forums:
                                    if forum.lft >= rang[
                                            0] and forum.rght <= rang[1]:
                                        forums.append(pk)
                                    if forum.lft > rang[1]:
                                        break

                        sqs.in_forums(forums)
                    else:
                        sqs.in_forums(
                            [f.pk for f in search_data.get('search_forums')])
                else:
                    sqs.in_forums(
                        Forum.objects.readable_forums(self.request.acl))

            if search_data.get('search_thread_titles'):
                sqs.search_thread_name(search_data.get('search_query'))
                sqs.search_thread_titles()
            else:
                sqs.search_content(search_data.get('search_query'))

            if search_data.get('search_thread'):
                sqs.search_thread_name_link(search_data.get('search_thread'))

            if search_data.get('search_author'):
                sqs.search_user_name(search_data.get('search_author'))

            if search_data.get('search_before'):
                sqs.search_before(search_data.get('search_before'))

            if search_data.get('search_after'):
                sqs.search_after(search_data.get('search_after'))

            return sqs
        except Thread.DoesNotExist:
            raise ACLError404()
Esempio n. 5
0
 def fetch_poll(self):
     self.poll = Poll.objects.select_for_update().get(thread=self.thread.pk)
     if not self.poll:
         raise ACLError404(_("Poll could not be found."))
     self.poll.option_set.all()
     self.poll.user_votes = self.request.user.pollvote_set.filter(poll=self.poll)
     self.request.acl.threads.allow_vote_in_polls(self.forum, self.thread, self.poll)
Esempio n. 6
0
File: jumps.py Progetto: xyzz/Misago 
 def make_jump(self):
     if not self.request.acl.threads.can_mod_posts(self.forum):
         raise ACLError404()
     try:
         return self.redirect_to_post(
             self.thread.post_set.get(reported=True))
     except Post.DoesNotExist:
         return error404(self.request)
Esempio n. 7
0
 def make_jump(self):
     if not self.request.acl.threads.can_approve(self.forum):
         raise ACLError404()
     try:
         return self.redirect_to_post(
             self.thread.post_set.filter(moderated=True)[:1][0])
     except IndexError:
         return error404(self.request)
Esempio n. 8
0
 def check_permissions(self):
     try:
         if self.thread.pk:
             if not ((self.thread.replies_reported > 0
                      and self.request.acl.private_threads.is_mod()) or
                     (self.request.user in self.thread.participants.all())):
                 raise ACLError404()
     except AttributeError:
         pass
Esempio n. 9
0
    def fetch_forum(self):
        self.forum = Forum.objects.get(pk=self.kwargs.get('forum'),
                                       type='forum')

        self.prefixes = ThreadPrefix.objects.forum_prefixes(self.forum)
        self.active_prefix = self.kwargs.get('prefix', None)
        if self.active_prefix:
            for prefix in self.prefixes.values():
                if self.active_prefix == prefix.slug:
                    self.active_prefix = prefix
                    break
            else:
                raise ACLError404()
Esempio n. 10
0
 def __call__(self, request, **kwargs):
     try:
         if request.user.is_crawler():
             raise ACLError404()
         if not request.acl.search.can_search():
             raise ACLError403(
                 _("You don't have permission to search community."))
         self.request = request
         return self.call(**kwargs)
     except ACLError403 as e:
         return error403(request, unicode(e))
     except ACLError404 as e:
         return error404(request, unicode(e))
Esempio n. 11
0
File: views.py Progetto: xyzz/Misago 
    def make_query(self, search_query):
        sqs = SearchQuerySet()
        if self.request.POST.get('search_thread_titles'):
            sqs = sqs.filter(thread_name=AutoQuery(search_query))
        else:
            sqs = sqs.auto_query(search_query)

        if self.request.POST.get('search_in') == 'private':
            if not (self.request.acl.private_threads.can_participate()
                    and self.request.settings['enable_private_threads']):
                raise ACLError404()
            sqs = sqs.filter(thread__in=[
                t.pk for t in self.request.user.private_thread_set.all()
            ])
        elif self.request.POST.get('search_in') == 'reports':
            if not self.request.acl.reports.can_handle():
                raise ACLError404()
            sqs = sqs.filter(forum=Forum.objects.special_pk('reports'))
        elif self.request.POST.get('search_in') == 'thread':
            try:
                thread_id = int(self.request.POST.get('search_thread'))
                thread_clean = Thread.objects.get(id=thread_id)
                if not thread_clean.forum_id in Forum.objects.readable_forums(
                        self.request.acl, True):
                    raise ACLError404()
                self.thread_clean = thread_clean
                sqs = sqs.filter(thread=thread_clean.pk)
            except (TypeError, Thread.DoesNotExist):
                raise ACLError404()
        else:
            sqs = sqs.filter(
                forum__in=Forum.objects.readable_forums(self.request.acl))

        if self.request.POST.get('search_author'):
            sqs = sqs.filter(
                author__exact=self.request.POST.get('search_author'))

        return sqs
Esempio n. 12
0
 def __call__(self, request, **kwargs):
     self.search_route = self.default_search_route
     self.search_form = self.default_search_form
     try:
         self.request = request
         if request.user.is_crawler():
             raise ACLError404()
         self.check_acl()
         if not request.acl.search.can_search():
             raise ACLError403(
                 _("You don't have permission to search community."))
         if self.request.method == "POST":
             return self.search(request)
         return self.draw_form(request)
     except ACLError403 as e:
         return error403(request, unicode(e))
     except ACLError404 as e:
         return error404(request, unicode(e))
Esempio n. 13
0
 def form_initial_data(self):
     if self.kwargs.get('user'):
         try:
             user = User.objects.get(id=self.kwargs.get('user'))
             acl = user.acl(self.request)
             if not acl.private_threads.can_participate():
                 raise ACLError403(
                     _("This member can not participate in private threads."
                       ))
             if (not self.request.acl.private_threads.can_invite_ignoring()
                     and not user.allow_pd_invite(self.request.user)):
                 raise ACLError403(
                     _('%(user)s restricts who can invite him to private threads.'
                       ) % {'user': user.username})
             return {'invite_users': user.username}
         except User.DoesNotExist:
             raise ACLError404()
     return {}
Esempio n. 14
0
 def check_acl(self):
     if not self.request.acl.reports.can_handle():
         raise ACLError404()
Esempio n. 15
0
 def allow_forum_view(self, forum):
     if not self.can_see(forum):
         raise ACLError404()
     if not self.can_browse(forum):
         raise ACLError403(_("You don't have permission to browse this forum."))
Esempio n. 16
0
 def check_acl(self):
     if not self.request.acl.private_threads.can_participate():
         raise ACLError404()
Esempio n. 17
0
 def allow_post_view(self, user, thread, post):
     forum_role = self.acl[thread.forum_id]
     if post.moderated and not (forum_role['can_approve'] or (user.is_authenticated() and user == post.user)):
         raise ACLError404()
     if post.deleted and not (forum_role['can_delete_posts'] or (user.is_authenticated() and user == post.user)):
         raise ACLError404()
Esempio n. 18
0
 def check_permissions(self):
     if self.request.method != 'POST':
         raise ACLError404()
     if not self.request.user.is_authenticated():
         raise ACLError403(_("Only registered users can vote in polls."))
Esempio n. 19
0
 def fetch_poll(self):
     if not self.thread.poll:
         raise ACLError404(_('Selected poll could not be found.'))
     self.poll = self.thread.poll
Esempio n. 20
0
File: users.py Progetto: xyzz/Misago 
 def allow_details_view(self):
     if not self.acl['can_see_users_trails']:
         raise ACLError404()