def _check_global_or_local_perm(request, *args, **kwargs):
if must_be_logged_in and not is_authenticated(request):
if not api:
raise UnauthorizedException('Should be logged in')
else:
return rc.FORBIDDEN
if has_perm(request, global_perm_name, text=None):
return view_func(request, *args, **kwargs)
if cm_settings.NO_SECURITY:
return view_func(request, *args, **kwargs)
if 'key' in kwargs:
text = get_object_or_404(Text, key=kwargs['key'])
else:
raise Exception('no security check possible')
# in api, the view has an object as first parameter, request is args[0]
if not api:
req = request
else:
req = args[0]
if has_perm(req, perm_name, text=text):
return view_func(request, *args, **kwargs)
if not api:
raise UnauthorizedException('No perm %s' % perm_name)
else:
return rc.FORBIDDEN
raise UnauthorizedException('No global perm %s nor local perm %s' %
(global_perm_name, perm_name))
def _check_local_perm(request, *args, **kwargs):
if cm_settings.NO_SECURITY:
return view_func(request, *args, **kwargs)
if must_be_logged_in and not is_authenticated(request):
if not api:
raise UnauthorizedException('Should be logged in')
else:
return rc.FORBIDDEN
if 'key' in kwargs:
text = get_object_or_404(Text, key=kwargs['key'])
else:
raise Exception('no security check possible')
# in api, the view has an object as first parameter, request is args[0]
if not api:
req = request
else:
req = args[0]
if has_perm(req, perm_name, text=text):
return view_func(request, *args, **kwargs)
#else:
# TODO: (? useful ?) if some user have the perm and not logged-in : redirect to login
#if not request.user.is_authenticated() and number_has_perm_on_text(permission, text_id) > 0:
# return HttpResponseRedirect('%s?%s=%s' % (login_url, redirect_field_name, urlquote(request.get_full_path())))
# else : unauthorized
if not api:
raise UnauthorizedException('No perm %s' % perm_name)
else:
return rc.FORBIDDEN
def _check_global_perm(request, *args, **kwargs):
if must_be_logged_in and not is_authenticated(request):
raise UnauthorizedException('Should be logged in')
if has_perm(request, perm_name, text=None):
return view_func(request, *args, **kwargs)
raise UnauthorizedException('No global perm %s' % perm_name)
def text_delete(request, key):
text = Text.objects.get(key=key)
if request.method != 'POST':
raise UnauthorizedException('Unauthorized')
display_message(request, _(u'Text %(text_title)s deleted') %{'text_title':text.title})
register_activity(request, "text_removed", text=text)
text.delete()
return HttpResponse('') # no redirect because this is called by js
def text_revert(request, key, text_version_key):
if request.method != 'POST':
raise UnauthorizedException('Unauthorized')
text = get_text_by_keys_or_404(key)
text_version = text.revert_to_version(text_version_key)
display_message(request, _(u'A new version (copied from version %(version_title)s) has been created') % {'version_title':text_version.title})
return HttpResponse('') # no redirect because this is called by js
def user_send_invitation(request, key):
if request.method == 'POST':
profile = get_object_or_404(UserProfile, key=key)
profile.send_invitation_email()
display_message(
request,
_(u"A new invitation has been sent to user %(prof)s.") %
{'prof': profile.simple_print()})
return HttpResponse('') # no redirect because this is called by js
raise UnauthorizedException('')
def get_text_and_admin(key, adminkey, assert_admin = False):
"""
assert_admin => redirect to unauthorized if not admin
"""
admin = False
if adminkey:
text = Text.objects.get(key = key, adminkey = adminkey)
if text:
admin = True
else:
text = Text.objects.get(key=key)
if assert_admin and not admin:
raise UnauthorizedException('Is not admin')
return text, admin
def text_list(request):
paginate_by = get_int(request.GET,'paginate',TEXT_PAGINATION)
tag_selected = request.GET.get('tag_selected', 0)
order_by = get_among(request.GET,'order',('title','author','modified','-title','-author','-modified'),'-modified')
if request.method == 'POST':
action = request.POST.get('action',None)
text_keys = get_keys_from_dict(request.POST, 'check-').keys()
if action == 'delete':
for text_key in text_keys:
text = Text.objects.get(key=text_key)
if has_perm(request, 'can_delete_text', text=text):
text.delete()
else:
raise UnauthorizedException('No perm can_delete_text on comment')
display_message(request, _(u'%(nb_texts)i text(s) deleted') %{'nb_texts':len(text_keys)})
return HttpResponseRedirect(reverse('text'))
texts = get_texts_with_perm(request, 'can_view_text').order_by(order_by)
try:
tag_list = Tag.objects.usage_for_queryset(TextVersion.objects.filter(id__in = [t.last_text_version_id for t in get_texts_with_perm(request, 'can_view_text')]))
except EmptyResultSet:
tag_list = []
context = {
'tag_list' : tag_list,
'tag_selected': tag_selected,
}
if tag_selected:
tag_ids = Tag.objects.filter(name=tag_selected)
if tag_ids:
content_type_id = ContentType.objects.get_for_model(TextVersion).pk
# table cm_userprofile is not present if display_suspended_users: fix this
texts = texts.extra(where=['tagging_taggeditem.object_id = cm_text.last_text_version_id',
'tagging_taggeditem.content_type_id = %i' %content_type_id,
'tagging_taggeditem.tag_id = %i' %tag_ids[0].id],
tables=['tagging_taggeditem'],
)
return object_list(request, texts,
template_name = 'site/text_list.html',
paginate_by = paginate_by,
extra_context=context,
)
def user_activate(request, key):
try:
profile = UserProfile.objects.get(adminkey=key)
user = profile.user
if not user.is_active:
if request.method == 'POST':
userform = UserValidateForm(request.POST, instance=user)
pwform = SetPasswordForm(profile.user, request.POST)
if userform.is_valid() and pwform.is_valid():
userform.save()
pwform.save()
user.is_active = True
user.save()
# login
user.backend = 'django.contrib.auth.backends.ModelBackend'
django_login(request, user)
register_activity(request, "user_activated", user=user)
display_message(
request,
_(u"Your account has been activated. You're now logged-in."
))
return HttpResponseRedirect(reverse('index'))
else:
user.username = ''
userform = UserValidateForm(instance=user)
pwform = SetPasswordForm(user)
cache.clear()
return render_to_response('site/activate.html', {
'forms': [userform, pwform],
'title': _(u'Activate your account'),
'save_name': _(u'activate account'),
},
context_instance=RequestContext(request))
else:
user.backend = 'django.contrib.auth.backends.ModelBackend'
django_login(request, user)
display_message(
request,
_(u"Your account has been activated. You're now logged-in."))
return HttpResponseRedirect(reverse('index'))
except UserProfile.DoesNotExist:
raise UnauthorizedException('No profile')
def user_enable(request, key):
if request.method == 'POST':
profile = get_object_or_404(UserProfile, key=key)
profile.is_suspended = False
profile.save()
if profile.user.is_active:
display_message(
request,
_(u"User's access %(prof)s has been restored.") %
{'prof': profile.simple_print()})
register_activity(request, "user_enabled", user=profile.user)
else: # new member approval
profile.send_activation_email()
display_message(
request,
_(u"User's access %(prof)s has been approved.") %
{'prof': profile.simple_print()})
register_activity(request, "user_approved", user=profile.user)
return HttpResponse('') # no redirect because this is called by js
raise UnauthorizedException('')
def _check_local_perm(request, *args, **kwargs):
if cm_settings.NO_SECURITY:
return view_func(request, *args, **kwargs)
if 'key' in kwargs:
text = get_object_or_404(Text, key=kwargs['key'])
# first try permission on text
if has_perm(request, perm_name, text=text):
return view_func(request, *args, **kwargs)
if 'comment_key' in kwargs:
comment = get_object_or_404(Comment,
key=kwargs['comment_key'])
if has_own_perm(request, perm_name + "_own", text,
comment):
return view_func(request, *args, **kwargs)
else:
raise Exception(
'no security check possible: no comment key')
else:
raise Exception('no security check possible: no text key')
raise UnauthorizedException('No perm %s on comment' % perm_name)
def user_suspend(request, key):
if request.method == 'POST':
profile = get_object_or_404(UserProfile, key=key)
profile.is_suspended = True
profile.save()
if profile.user.is_active:
display_message(
request,
_(u"User's access %(prof)s has been suspended.") %
{'prof': profile.simple_print()})
register_activity(request, "user_suspended", user=profile.user)
else:
# make use active but disabled
profile.user.is_active = True
profile.user.save()
display_message(
request,
_(u"User's access %(prof)s has been refused.") %
{'prof': profile.simple_print()})
register_activity(request, "user_refused", user=profile.user)
return HttpResponse('') # no redirect because this is called by js
raise UnauthorizedException('')
