def has_own_perm(request, perm_name, text, comment):
user = get_request_user(request)
if not user:
return False
# bypass sec if NO_SECURITY
if cm_settings.NO_SECURITY:
return True
# make sure perm exist
assert Permission.objects.get(codename=perm_name)
try:
myself = request.GET.get('name', None)
except AttributeError:
myself = None
key = sha1(str((settings.SITE_URL, 'has_own_perm', (user, myself, text, comment, perm_name)))).hexdigest()
val = cache.get(key)
if val != None:
return val
# 2 special cases for comment own edition:
# 1
# if perm = can_edit_own_comment and
# text is a priori moderated and
# comment is approved and
# don't have moderation rights and
if comment and comment.state == 'approved' and \
perm_name == 'can_edit_comment_own' and \
text.last_text_version.mod_posteriori == False and \
not has_perm(request, 'can_manage_text', text=text):
cache.set(key, False)
return False
# 2
# if perm = can_edit_own_comment and and
# text is a posteriori moderated and
# there is a reply
# don't have moderation rights and
if comment and comment.state == 'approved' and \
perm_name == 'can_edit_comment_own' and \
text.last_text_version.mod_posteriori == True and \
comment.comment_set.count() != 0 and \
not has_perm(request, 'can_manage_text', text=text):
cache.set(key, False)
return False
actual_own_user = False
if comment.user == request.user:
if DECORATED_CREATORS:
if myself == comment.get_name():
actual_own_user = True
else:
actual_own_user = True
ret = (actual_own_user and has_perm(request, perm_name, text=text))
cache.set(key, ret)
return ret
def _check_global_or_local_perm(request, *args, **kwargs):
if must_be_logged_in and not is_authenticated(request):
if not api:
raise UnauthorizedException('Should be logged in')
else:
return rc.FORBIDDEN
if has_perm(request, global_perm_name, text=None):
return view_func(request, *args, **kwargs)
if cm_settings.NO_SECURITY:
return view_func(request, *args, **kwargs)
if 'key' in kwargs:
text = get_object_or_404(Text, key=kwargs['key'])
else:
raise Exception('no security check possible')
# in api, the view has an object as first parameter, request is args[0]
if not api:
req = request
else:
req = args[0]
if has_perm(req, perm_name, text=text):
return view_func(request, *args, **kwargs)
if not api:
raise UnauthorizedException('No perm %s' % perm_name)
else:
return rc.FORBIDDEN
raise UnauthorizedException('No global perm %s nor local perm %s' %
(global_perm_name, perm_name))
def _check_global_or_local_perm(request, *args, **kwargs):
if must_be_logged_in and not is_authenticated(request):
if not api:
raise UnauthorizedException('Should be logged in')
else:
return rc.FORBIDDEN
if has_perm(request, global_perm_name, text=None):
return view_func(request, *args, **kwargs)
if cm_settings.NO_SECURITY:
return view_func(request, *args, **kwargs)
if 'key' in kwargs:
text = get_object_or_404(Text, key=kwargs['key'])
else:
raise Exception('no security check possible')
# in api, the view has an object as first parameter, request is args[0]
if not api:
req = request
else:
req = args[0]
if has_perm(req, perm_name, text=text):
return view_func(request, *args, **kwargs)
if not api:
raise UnauthorizedException('No perm %s' % perm_name)
else:
return rc.FORBIDDEN
raise UnauthorizedException('No global perm %s nor local perm %s' %(global_perm_name, perm_name))
def default(self, obj):
if isinstance(obj, Comment) :
comment = obj
#replies = list(comment.comment_set.order_by('created'))
text=comment.text_version.text
replies = get_viewable_comments(self.request, comment.comment_set.all(), text)
# can_view == true because of get_viewable_comments filter
can_moderate = has_perm(self.request, 'can_edit_comment', text)
can_edit = has_perm(self.request, 'can_edit_comment', text) or has_own_perm(self.request, 'can_edit_comment_own', text, comment)
can_delete = has_perm(self.request, 'can_delete_comment', text) or has_own_perm(self.request, 'can_delete_comment_own', text, comment)
return {'id' : comment.id,
'key' : comment.key,
'id_key' : comment.id_key,
'created_user_str' : datetime_to_user_str(request_tz_convert(comment.created, self.request)),
'modified_user_str' : datetime_to_user_str(request_tz_convert(comment.modified, self.request)),
# 'created_str' : datetime_to_str(comment.created), # TODO change to a simple number as modified if possible
'created' : datetime_to_epoch(comment.created), # TODO change to a simple number as modified if possible
'modified' : datetime_to_epoch(comment.modified),
# 'modified' : time.mktime(comment.modified.timetuple()),
# 'created' : datetime_to_js_date_str(comment.created),
'reply_to_id' : comment.reply_to_id,
'replies' : replies,
'name' : comment.get_name(),
'email' : comment.get_email(),
'logged_author' : (comment.user != None),
'title':comment.title,
'content':comment.content,
'content_html':comment.content_html,
'tags': ', '.join(parse_tag_input(comment.tags)),
'format': comment.format,
'start_wrapper' : comment.start_wrapper,
'end_wrapper' : comment.end_wrapper,
'start_offset' : comment.start_offset,
'end_offset' : comment.end_offset,
'url': comment.url,
'state' : comment.state,
'permalink' : reverse('text-view-show-comment', args=[text.key, comment.id_key]),
# permission
'can_edit' : can_edit,
'can_delete' : can_delete,
'can_moderate' : can_moderate,
}
if isinstance(obj, Tag) :
tag = obj
# RBE each time issuing a db request to find comments related to this tag !!! TODO
return { 'ids' : [t.id for t in tag.items.all()], 'name' : tag.name, 'font_size' : tag.font_size}
return simplejson.JSONEncoder.default(self, obj)
def default(self, obj):
if isinstance(obj, Comment) :
comment = obj
#replies = list(comment.comment_set.order_by('created'))
text=comment.text_version.text
replies = get_viewable_comments(self.request, comment.comment_set.all(), text)
# can_view == true because of get_viewable_comments filter
can_moderate = has_perm(self.request, 'can_edit_comment', text)
can_edit = has_perm(self.request, 'can_edit_comment', text) or has_own_perm(self.request, 'can_edit_comment_own', text, comment)
can_delete = has_perm(self.request, 'can_delete_comment', text) or has_own_perm(self.request, 'can_delete_comment_own', text, comment)
return {'id' : comment.id,
'key' : comment.key,
'id_key' : comment.id_key,
'created_user_str' : datetime_to_user_str(request_tz_convert(comment.created, self.request)),
'modified_user_str' : datetime_to_user_str(request_tz_convert(comment.modified, self.request)),
# 'created_str' : datetime_to_str(comment.created), # TODO change to a simple number as modified if possible
'created' : datetime_to_epoch(comment.created), # TODO change to a simple number as modified if possible
'modified' : datetime_to_epoch(comment.modified),
# 'modified' : time.mktime(comment.modified.timetuple()),
# 'created' : datetime_to_js_date_str(comment.created),
'reply_to_id' : comment.reply_to_id,
'replies' : replies,
'name' : comment.get_name(),
'email' : comment.get_email(),
'logged_author' : (comment.user != None),
'title':comment.title,
'content':comment.content,
'content_html':comment.content_html,
'tags': ', '.join(parse_tag_input(comment.tags)),
'category': comment.category,
'format': comment.format,
'start_wrapper' : comment.start_wrapper,
'end_wrapper' : comment.end_wrapper,
'start_offset' : comment.start_offset,
'end_offset' : comment.end_offset,
'state' : comment.state,
'permalink' : reverse('text-view-show-comment', args=[text.key, comment.id_key]),
# permission
'can_edit' : can_edit,
'can_delete' : can_delete,
'can_moderate' : can_moderate,
}
if isinstance(obj, Tag) :
tag = obj
# RBE each time issuing a db request to find comments related to this tag !!! TODO
return { 'ids' : [t.id for t in tag.items.all()], 'name' : tag.name, 'font_size' : tag.font_size}
return simplejson.JSONEncoder.default(self, obj)
def _check_local_perm(request, *args, **kwargs):
if cm_settings.NO_SECURITY:
return view_func(request, *args, **kwargs)
if must_be_logged_in and not is_authenticated(request):
if not api:
raise UnauthorizedException('Should be logged in')
else:
return rc.FORBIDDEN
if 'key' in kwargs:
text = get_object_or_404(Text, key=kwargs['key'])
else:
raise Exception('no security check possible')
# in api, the view has an object as first parameter, request is args[0]
if not api:
req = request
else:
req = args[0]
if has_perm(req, perm_name, text=text):
return view_func(request, *args, **kwargs)
#else:
# TODO: (? useful ?) if some user have the perm and not logged-in : redirect to login
#if not request.user.is_authenticated() and number_has_perm_on_text(permission, text_id) > 0:
# return HttpResponseRedirect('%s?%s=%s' % (login_url, redirect_field_name, urlquote(request.get_full_path())))
# else : unauthorized
if not api:
raise UnauthorizedException('No perm %s' % perm_name)
else:
return rc.FORBIDDEN
def get_viewable_activities(request=None, act_types={}, text=None):
"""
Get activities user in request is allowed to see
"""
from cm.security import has_perm, get_texts_with_perm, get_viewable_comments
selected_activities = reduce(list.__add__, [
Activity.VIEWABLE_ACTIVITIES[k]
for k in act_types.keys() if act_types[k]
], [])
activities = Activity.objects.filter(type__in=selected_activities)
if text:
activities = activities.filter(text=text)
if not has_perm(request, 'can_manage_workspace'):
texts = get_texts_with_perm(request, 'can_view_text')
activities = activities.filter(Q(text__in=texts))
comments = []
[
comments.extend(
get_viewable_comments(request,
t.last_text_version.comment_set.all(),
t)) for t in texts
]
activities = activities.filter(
Q(comment__in=comments) | Q(comment=None))
return activities.order_by('-created')
def _check_local_perm(request, *args, **kwargs):
if cm_settings.NO_SECURITY:
return view_func(request, *args, **kwargs)
if must_be_logged_in and not is_authenticated(request):
if not api:
raise UnauthorizedException('Should be logged in')
else:
return rc.FORBIDDEN
if 'key' in kwargs:
text = get_object_or_404(Text, key=kwargs['key'])
else:
raise Exception('no security check possible')
# in api, the view has an object as first parameter, request is args[0]
if not api:
req = request
else:
req = args[0]
if has_perm(req, perm_name, text=text):
return view_func(request, *args, **kwargs)
#else:
# TODO: (? useful ?) if some user have the perm and not logged-in : redirect to login
#if not request.user.is_authenticated() and number_has_perm_on_text(permission, text_id) > 0:
# return HttpResponseRedirect('%s?%s=%s' % (login_url, redirect_field_name, urlquote(request.get_full_path())))
# else : unauthorized
if not api:
raise UnauthorizedException('No perm %s' % perm_name)
else:
return rc.FORBIDDEN
def render(self, context):
context[self.var_name] = has_perm(
self.request.resolve(context),
self.perm_name,
None,
)
return ''
def has_own_perm(request, perm_name, text, comment):
user = get_request_user(request)
if not user:
return False
# bypass sec if NO_SECURITY
if cm_settings.NO_SECURITY:
return True
# make sure perm exist
assert Permission.objects.get(codename=perm_name)
# 2 special cases for comment own edition:
# 1
# if perm = can_edit_own_comment and
# text is a priori moderated and
# comment is approved and
# don't have moderation rights and
if comment and comment.state == 'approved' and \
perm_name == 'can_edit_comment_own' and \
text.last_text_version.mod_posteriori == False and \
not has_perm(request, 'can_manage_text', text=text):
return False
# 2
# if perm = can_edit_own_comment and and
# text is a posteriori moderated and
# there is a reply
# don't have moderation rights and
if comment and comment.state == 'approved' and \
perm_name == 'can_edit_comment_own' and \
text.last_text_version.mod_posteriori == True and \
comment.comment_set.count() != 0 and \
not has_perm(request, 'can_manage_text', text=text):
return False
actual_own_user = False
if comment.user == request.user:
if DECORATED_CREATORS:
if request.GET.get('name', None) == comment.get_name():
actual_own_user = True
else:
actual_own_user = True
return (actual_own_user and has_perm(request, perm_name, text=text))
def has_own_perm(request, perm_name, text, comment):
user = get_request_user(request)
if not user:
return False
# bypass sec if NO_SECURITY
if cm_settings.NO_SECURITY:
return True
# make sure perm exist
assert Permission.objects.get(codename=perm_name)
# 2 special cases for comment own edition:
# 1
# if perm = can_edit_own_comment and
# text is a priori moderated and
# comment is approved and
# don't have moderation rights and
if comment and comment.state == 'approved' and \
perm_name == 'can_edit_comment_own' and \
text.last_text_version.mod_posteriori == False and \
not has_perm(request, 'can_manage_text', text=text):
return False
# 2
# if perm = can_edit_own_comment and and
# text is a posteriori moderated and
# there is a reply
# don't have moderation rights and
if comment and comment.state == 'approved' and \
perm_name == 'can_edit_comment_own' and \
text.last_text_version.mod_posteriori == True and \
comment.comment_set.count() != 0 and \
not has_perm(request, 'can_manage_text', text=text):
return False
actual_own_user = False
if comment.user == request.user:
if DECORATED_CREATORS:
if request.GET.get('name', None) == comment.get_name():
actual_own_user = True
else:
actual_own_user = True
return (actual_own_user and has_perm(request, perm_name, text=text))
def _check_global_perm(request, *args, **kwargs):
if must_be_logged_in and not is_authenticated(request):
raise UnauthorizedException('Should be logged in')
if has_perm(request, perm_name, text=None):
return view_func(request, *args, **kwargs)
raise UnauthorizedException('No global perm %s' % perm_name)
def _check_global_perm(request, *args, **kwargs):
if must_be_logged_in and not is_authenticated(request):
raise UnauthorizedException('Should be logged in')
if has_perm(request, perm_name, text=None):
return view_func(request, *args, **kwargs)
raise UnauthorizedException('No global perm %s' % perm_name)
def add_comment(request, key, version_key):
# if edit_comment_id : #
# if self.request.user.is_anonymous() : # accessing via an admin url ?
# and comment.user == self.request.user
user = None if request.user.is_anonymous() else request.user
name, email, title, content, tags, category, reply_to_id, format, start_wrapper, end_wrapper, start_offset, end_offset = read_comment_args(request)
errors = {}
errors = validate_comment_args(name, email, title, content, tags)
if start_wrapper == "" :
errors['selection_place'] = selection_place_error_msg
#TODO validate pandoc conversion
content_html = pandoc_convert(content, format, "html", full=False)
ret = {}
if errors != {} :
ret['errors'] = errors
else :
# INSERT
# TODO check version still exist ...
reply_to = None
if reply_to_id :
reply_to = Comment.objects.get(id=reply_to_id)
text = Text.objects.get(key=key)
text_version = TextVersion.objects.get(key=version_key)
comment_state = 'approved' if text_version.mod_posteriori else 'pending'
comment = Comment.objects.create(state=comment_state, text_version=text_version, user=user, name=name, email=email, title=title, content=content, content_html=content_html, tags = tags, category = category, start_wrapper = start_wrapper, end_wrapper = end_wrapper, start_offset = start_offset, end_offset = end_offset, reply_to=reply_to)
ask_for_notification = True
if user :
workspace_notify_count = Notification.objects.filter(text=None,type='workspace',user=user, active=True).count()
text_notify_count = Notification.objects.filter(text=text,type='text',user=user, active=True).count()
if workspace_notify_count > 0 or text_notify_count > 0 :
ask_for_notification = False
if ask_for_notification :
ask_for_notification = ( None == Notification.objects.get_notifications(text=None, type='own', email_or_user=(user if user else email)))
ret['ask_for_notification'] = ask_for_notification
ret['email'] = '' if user else email
if text_version.mod_posteriori or has_perm(request, 'can_view_unapproved_comment', text=text) or has_perm(request, 'can_view_comment_own', text=text) :
ret['comment'] = comment
ret['msg'] = _(u"comment saved")
else :
ret['msg'] = _(u"comment saved, it is being held for moderation")
if AUTO_CONTRIB_REGISTER:
Notification.objects.set_notification(text=text, type='own', active=True, email_or_user=user or email)
register_activity(request, "comment_created", text, comment)
cache.clear()
return ret
def notify(sender, **kwargs):
from cm.security import get_viewable_comments, has_perm
allready_notified = set() # avoid sending multiple notifications to same user
activity = kwargs["instance"]
if activity.type in Activity.VIEWABLE_ACTIVITIES.get("view_users"): # user activity: only viewed by managers
notifications = Notification.objects.filter(text=None, active=True).exclude(type="own")
for notification in notifications:
if notification.user:
from cm.security import user_has_perm # import here!
if user_has_perm(notification.user, "can_manage_workspace"):
send_notification(activity, notification)
allready_notified.add(notification.user)
elif activity.type in Activity.VIEWABLE_ACTIVITIES.get("view_comments"):
notifications = Notification.objects.filter(Q(text=activity.text) | Q(text=None), active=True)
for notification in notifications:
viewable = get_viewable_comments(
FakeRequest(notification.user), Comment.objects.filter(id__in=[activity.comment.id]), text=activity.text
)
if viewable and (
(
notification.type == "own"
and activity.comment.user != notification.user
and activity.comment.top_comment().user == notification.user
)
or (notification.type != "own")
):
if not notification.user in allready_notified:
send_notification(activity, notification)
allready_notified.add(notification.user)
elif activity.type in Activity.VIEWABLE_ACTIVITIES.get("view_texts"):
notifications = Notification.objects.filter(Q(text=activity.text) | Q(text=None), active=True).exclude(
type="own"
)
for notification in notifications:
if notification.user:
from cm.security import user_has_perm # import here!
if (
user_has_perm(notification.user, "can_view_text", text=activity.text)
and not notification.user in allready_notified
):
send_notification(activity, notification)
allready_notified.add(notification.user)
else:
if has_perm(None, "can_view_text", text=activity.text) and not notification.email in allready_notified:
send_notification(activity, notification)
allready_notified.add(notification.email)
def notify(sender, **kwargs):
from cm.security import get_viewable_comments, has_perm
allready_notified = set(
) # avoid sending multiple notifications to same user
activity = kwargs['instance']
if activity.type in Activity.VIEWABLE_ACTIVITIES.get(
'view_users'): # user activity: only viewed by managers
notifications = Notification.objects.filter(
text=None, active=True).exclude(type='own')
for notification in notifications:
if notification.user:
from cm.security import user_has_perm # import here!
if user_has_perm(notification.user, 'can_manage_workspace'):
send_notification(activity, notification)
allready_notified.add(notification.user)
elif activity.type in Activity.VIEWABLE_ACTIVITIES.get('view_comments'):
notifications = Notification.objects.filter(Q(text=activity.text)
| Q(text=None),
active=True)
for notification in notifications:
viewable = get_viewable_comments(
FakeRequest(notification.user),
Comment.objects.filter(id__in=[activity.comment.id]),
text=activity.text)
if viewable and \
((notification.type == 'own' and activity.comment.user != notification.user and activity.comment.top_comment().user == notification.user) or
(notification.type != 'own')):
if not notification.user in allready_notified:
send_notification(activity, notification)
allready_notified.add(notification.user)
elif activity.type in Activity.VIEWABLE_ACTIVITIES.get('view_texts'):
notifications = Notification.objects.filter(
Q(text=activity.text) | Q(text=None),
active=True).exclude(type='own')
for notification in notifications:
if notification.user:
from cm.security import user_has_perm # import here!
if user_has_perm(
notification.user, 'can_view_text', text=activity.text
) and not notification.user in allready_notified:
send_notification(activity, notification)
allready_notified.add(notification.user)
else:
if has_perm(None, 'can_view_text', text=activity.text
) and not notification.email in allready_notified:
send_notification(activity, notification)
allready_notified.add(notification.email)
def text_list(request):
paginate_by = get_int(request.GET,'paginate',TEXT_PAGINATION)
tag_selected = request.GET.get('tag_selected', 0)
order_by = get_among(request.GET,'order',('title','author','modified','-title','-author','-modified'),'-modified')
if request.method == 'POST':
action = request.POST.get('action',None)
text_keys = get_keys_from_dict(request.POST, 'check-').keys()
if action == 'delete':
for text_key in text_keys:
text = Text.objects.get(key=text_key)
if has_perm(request, 'can_delete_text', text=text):
text.delete()
else:
raise UnauthorizedException('No perm can_delete_text on comment')
display_message(request, _(u'%(nb_texts)i text(s) deleted') %{'nb_texts':len(text_keys)})
return HttpResponseRedirect(reverse('text'))
texts = get_texts_with_perm(request, 'can_view_text').order_by(order_by)
try:
tag_list = Tag.objects.usage_for_queryset(TextVersion.objects.filter(id__in = [t.last_text_version_id for t in get_texts_with_perm(request, 'can_view_text')]))
except EmptyResultSet:
tag_list = []
context = {
'tag_list' : tag_list,
'tag_selected': tag_selected,
}
if tag_selected:
tag_ids = Tag.objects.filter(name=tag_selected)
if tag_ids:
content_type_id = ContentType.objects.get_for_model(TextVersion).pk
# table cm_userprofile is not present if display_suspended_users: fix this
texts = texts.extra(where=['tagging_taggeditem.object_id = cm_text.last_text_version_id',
'tagging_taggeditem.content_type_id = %i' %content_type_id,
'tagging_taggeditem.tag_id = %i' %tag_ids[0].id],
tables=['tagging_taggeditem'],
)
return object_list(request, texts,
template_name = 'site/text_list.html',
paginate_by = paginate_by,
extra_context=context,
)
def _check_local_perm(request, *args, **kwargs):
if cm_settings.NO_SECURITY:
return view_func(request, *args, **kwargs)
if 'key' in kwargs:
text = get_object_or_404(Text, key=kwargs['key'])
# first try permission on text
if has_perm(request, perm_name, text=text) :
return view_func(request, *args, **kwargs)
if 'comment_key' in kwargs:
comment = get_object_or_404(Comment, key=kwargs['comment_key'])
if has_own_perm(request, perm_name + "_own", text, comment) :
return view_func(request, *args, **kwargs)
else:
raise Exception('no security check possible: no comment key')
else:
raise Exception('no security check possible: no text key')
raise UnauthorizedException('No perm %s on comment' % perm_name)
def get_viewable_activities(request=None, act_types={}, text=None):
"""
Get activities user in request is allowed to see
"""
from cm.security import has_perm, get_texts_with_perm, get_viewable_comments
selected_activities = reduce(list.__add__,[Activity.VIEWABLE_ACTIVITIES[k] for k in act_types.keys() if act_types[k]], [])
activities = Activity.objects.filter(type__in=selected_activities)
if text:
activities = activities.filter(text=text)
if not has_perm(request, 'can_manage_workspace'):
texts = get_texts_with_perm(request, 'can_view_text')
activities = activities.filter(Q(text__in=texts))
comments = []
[comments.extend(get_viewable_comments(request, t.last_text_version.comment_set.all(), t)) for t in texts]
activities = activities.filter(Q(comment__in=comments) | Q(comment=None))
return activities.order_by('-created')
def _check_local_perm(request, *args, **kwargs):
if cm_settings.NO_SECURITY:
return view_func(request, *args, **kwargs)
if 'key' in kwargs:
text = get_object_or_404(Text, key=kwargs['key'])
# first try permission on text
if has_perm(request, perm_name, text=text):
return view_func(request, *args, **kwargs)
if 'comment_key' in kwargs:
comment = get_object_or_404(Comment,
key=kwargs['comment_key'])
if has_own_perm(request, perm_name + "_own", text,
comment):
return view_func(request, *args, **kwargs)
else:
raise Exception(
'no security check possible: no comment key')
else:
raise Exception('no security check possible: no text key')
raise UnauthorizedException('No perm %s on comment' % perm_name)
def render(self, context):
context[self.var_name] = has_perm(self.request.resolve(context),
self.perm_name,
None,
)
return ''
def get_viewable_comments(request, comments, text, order_by=('created', )):
"""
Get comments visibles by user
comments: queryset
"""
user = get_request_user(request)
try:
myself = request.GET.get('name', None)
except AttributeError:
myself = None
key = sha1(
str((settings.SITE_URL, 'get_viewable_comments',
(user, myself, text, comments)))).hexdigest()
val = cache.get(key)
if val != None:
return val
if user and has_perm(request, 'can_view_unapproved_comment', text=text):
ret = list(comments.order_by(*order_by))
cache.set(key, ret)
return ret
else:
# Fetch role_model to process specific behaviour for role_teacher model
from cm.models import ApplicationConfiguration
role_model = ApplicationConfiguration.get_key('workspace_role_model')
if has_perm(request, 'can_view_approved_comment', text=text):
visible_comments = comments.filter(state='approved').order_by(
*order_by)
# filter comments with a non visible (i.e. moderated) comment in the above thread
comments_thread_viewable = [
c for c in visible_comments if c.is_thread_full_visible()
]
# for role_teacher role model, do not show 'individual student' comments
if (role_model == 'teacher'):
unfiltered_comments = list(comments_thread_viewable)
for c in unfiltered_comments:
if c.user_id and c.user_id != 1:
try:
userrole = UserRole.objects.get(user=c.user,
text=text)
except:
userrole = UserRole.objects.get(user=None,
text=None)
if userrole.role_id == None:
role = c.user.get_profile().global_userrole().role
else:
role = userrole.role
if role.name == 'Individual student':
comments_thread_viewable.remove(c)
cache.set(key, comments_thread_viewable)
return comments_thread_viewable
elif user and has_perm(request, 'can_view_comment_own', text=text):
if DECORATED_CREATORS:
visible_comments = comments.filter(name=myself).order_by(
*order_by)
else:
visible_comments = comments.filter(user=user).order_by(
*order_by)
# for role_teacher role model, add 'teacher' comments
if (role_model == 'teacher'):
with_teachers = []
for u in list(
User.objects.filter(userrole__role__name='Teacher')):
with_teachers.append(u.id)
# add admin and current user
admin = User.objects.get(id=1)
with_teachers.append(admin.id)
if DECORATED_CREATORS:
visible_comments = comments.filter(
Q(user__id__in=with_teachers)
| Q(name=myself)).order_by(*order_by)
else:
with_teachers.append(user.id)
visible_comments = comments.filter(
user__id__in=with_teachers).order_by(*order_by)
# filter comments with a non visible (i.e. moderated) comment in the above thread
comments_thread_viewable = [
c for c in visible_comments
if c.is_thread_full_visible(own_user=user)
]
cache.set(key, comments_thread_viewable)
return comments_thread_viewable
else:
cache.set(key, [])
return []
def dashboard(request):
request.session.set_test_cookie()
if request.user.is_authenticated():
act_view = {
'view_texts' : get_int(request.GET, 'view_texts',1),
'view_comments' : get_int(request.GET, 'view_comments',1),
'view_users' : get_int(request.GET, 'view_users',1),
}
paginate_by = get_int(request.GET, 'paginate', ACTIVITY_PAGINATION)
# texts with can_view_unapproved_comment perms
moderator_texts = get_texts_with_perm(request, 'can_view_unapproved_comment')
viewer_texts = get_texts_with_perm(request, 'can_view_approved_comment')
all_texts_ids = [t.id for t in moderator_texts] + [t.id for t in viewer_texts]
span = get_among(request.GET, 'span', ('day','month','week',),'week')
template_dict = {
'span' : span,
'last_texts' : get_texts_with_perm(request, 'can_view_text').order_by('-modified')[:RECENT_TEXT_NB],
'last_comments' : Comment.objects.filter(text_version__text__in=all_texts_ids).order_by('-created')[:RECENT_COMMENT_NB],# TODO: useful?
#'last_users' : User.objects.all().order_by('-date_joined')[:5],
}
template_dict.update(act_view)
all_activities = {
'view_comments' : ['comment_created','comment_removed'],
'view_users' : ['user_created', 'user_activated', 'user_suspended','user_enabled',],
'view_texts' : ['text_created','text_removed', 'text_edited', 'text_edited_new_version'],
}
selected_activities = []
[selected_activities.extend(all_activities[k]) for k in act_view.keys() if act_view[k]]
activities = Activity.objects.filter(type__in = selected_activities)
if not has_perm(request,'can_manage_workspace'):
texts = get_texts_with_perm(request, 'can_view_text')
activities = activities.filter(Q(text__in=texts))
comments = []
[comments.extend(get_viewable_comments(request, t.last_text_version.comment_set.all(), t)) for t in texts]
activities = activities.filter(Q(comment__in=comments) | Q(comment=None) )
template_dict['to_mod_profiles'] = []
else:
template_dict['to_mod_profiles'] = UserProfile.objects.filter(user__is_active=False).filter(is_suspended=True).order_by('-user__date_joined')[:MODERATE_NB]
template_dict['to_mod_comments'] = Comment.objects.filter(state='pending').filter(text_version__text__in=moderator_texts).order_by('-modified')[:MODERATE_NB-len(template_dict['to_mod_profiles'])]
activities = activities.order_by('-created')
return object_list(request, activities,
template_name = 'site/dashboard.html',
paginate_by = paginate_by,
extra_context = template_dict,
)
else:
if request.method == 'POST':
form = AuthenticationForm(request, request.POST)
if form.is_valid():
user = form.get_user()
user.backend = 'django.contrib.auth.backends.ModelBackend'
cm_login(request, user)
display_message(request, _(u"You're logged in!"))
return HttpResponseRedirect(reverse('index'))
else:
form = AuthenticationForm()
public_texts = get_texts_with_perm(request, 'can_view_text').order_by('-modified')
template_dict = {
'form' : form,
'texts' : public_texts,
}
return render_to_response('site/non_authenticated_index.html', template_dict, context_instance=RequestContext(request))
def user_has_perm(user, perm_name, text=None):
return has_perm(FakeRequest(user), perm_name, text)
def has_own_perm(request, perm_name, text, comment):
user = get_request_user(request)
if not user:
return False
# bypass sec if NO_SECURITY
if cm_settings.NO_SECURITY:
return True
# make sure perm exist
assert Permission.objects.get(codename=perm_name)
try:
myself = request.GET.get('name', None)
except AttributeError:
myself = None
key = sha1(
str((settings.SITE_URL, 'has_own_perm', (user, myself, text, comment,
perm_name)))).hexdigest()
val = cache.get(key)
if val != None:
return val
# 2 special cases for comment own edition:
# 1
# if perm = can_edit_own_comment and
# text is a priori moderated and
# comment is approved and
# don't have moderation rights and
if comment and comment.state == 'approved' and \
perm_name == 'can_edit_comment_own' and \
text.last_text_version.mod_posteriori == False and \
not has_perm(request, 'can_manage_text', text=text):
cache.set(key, False)
return False
# 2
# if perm = can_edit_own_comment and and
# text is a posteriori moderated and
# there is a reply
# don't have moderation rights and
if comment and comment.state == 'approved' and \
perm_name == 'can_edit_comment_own' and \
text.last_text_version.mod_posteriori == True and \
comment.comment_set.count() != 0 and \
not has_perm(request, 'can_manage_text', text=text):
cache.set(key, False)
return False
actual_own_user = False
if comment.user == request.user:
if DECORATED_CREATORS:
if myself == comment.get_name():
actual_own_user = True
else:
actual_own_user = True
ret = (actual_own_user and has_perm(request, perm_name, text=text))
cache.set(key, ret)
return ret
def get_viewable_comments(request, comments, text, order_by=('created',)):
"""
Get comments visibles by user
comments: queryset
"""
user = get_request_user(request)
try:
myself = request.GET.get('name', None)
except AttributeError:
myself = None
key = sha1(str((settings.SITE_URL, 'get_viewable_comments', (user, myself, text, comments)))).hexdigest()
val = cache.get(key)
if val != None:
return val
if user and has_perm(request, 'can_view_unapproved_comment', text=text):
ret = list(comments.order_by(*order_by))
cache.set(key, ret)
return ret
else:
# Fetch role_model to process specific behaviour for role_teacher model
from cm.models import ApplicationConfiguration
role_model = ApplicationConfiguration.get_key('workspace_role_model')
if has_perm(request, 'can_view_approved_comment', text=text):
visible_comments = comments.filter(state = 'approved').order_by(*order_by)
# filter comments with a non visible (i.e. moderated) comment in the above thread
comments_thread_viewable = [c for c in visible_comments if c.is_thread_full_visible()]
# for role_teacher role model, do not show 'individual student' comments
if (role_model == 'teacher'):
unfiltered_comments = list(comments_thread_viewable)
for c in unfiltered_comments:
if c.user_id and c.user_id != 1:
try:
userrole = UserRole.objects.get(user=c.user, text=text)
except:
userrole = UserRole.objects.get(user=None, text=None)
if userrole.role_id == None:
role = c.user.get_profile().global_userrole().role
else:
role = userrole.role
if role.name == 'Individual student':
comments_thread_viewable.remove(c)
cache.set(key, comments_thread_viewable)
return comments_thread_viewable
elif user and has_perm(request, 'can_view_comment_own', text=text):
if DECORATED_CREATORS:
visible_comments = comments.filter(name=myself).order_by(*order_by)
else:
visible_comments = comments.filter(user=user).order_by(*order_by)
# for role_teacher role model, add 'teacher' comments
if (role_model == 'teacher'):
with_teachers = []
for u in list(User.objects.filter(userrole__role__name = 'Teacher')):
with_teachers.append(u.id)
# add admin and current user
admin = User.objects.get(id=1)
with_teachers.append(admin.id)
if DECORATED_CREATORS:
visible_comments = comments.filter(Q(user__id__in=with_teachers) | Q(name=myself)).order_by(*order_by)
else:
with_teachers.append(user.id)
visible_comments = comments.filter(user__id__in=with_teachers).order_by(*order_by)
# filter comments with a non visible (i.e. moderated) comment in the above thread
comments_thread_viewable = [c for c in visible_comments if c.is_thread_full_visible(own_user=user)]
cache.set(key, comments_thread_viewable)
return comments_thread_viewable
else:
cache.set(key, [])
return []
def user_has_perm(user, perm_name, text=None):
return has_perm(FakeRequest(user),perm_name, text)
