def post(self, request, *args, **kwargs): if not self.model: raise ImproperlyConfigured( 'No model class is set for the pseudo-abstract view DeleteElementView.' ) element_ids = request.POST.getlist('element_ids[]', []) if not (element_ids or self.group): return HttpResponseBadRequest( 'Missing POST fields for this request.') successful_ids = [] for element_id in element_ids: element = get_object_or_None(self.model, id=element_id, group=self.group) # check write permission on element if not check_object_write_access(element, request.user): continue if self.delete_element(element): successful_ids.append(element_id) data = { 'had_errors': len(successful_ids) != len(element_ids), 'successful_ids': successful_ids, } return JsonResponse(data)
def save_widget_config(request): """ Save-endpoint WidgetConfig priorities for dashboard widget rearranging """ user = request.user if not user.is_authenticated: return HttpResponseForbidden() if not request.is_ajax() or not request.method == 'POST': return HttpResponseNotAllowed(['POST']) import json widgets = json.loads(request.POST.get('widget_data')) for widget_id, props in list(widgets.items()): if 'priority' in props: try: wc = WidgetConfig.objects.get(id=int(widget_id)) if (wc.group and check_object_write_access(wc.group, user)) or \ (wc.user and wc.user.id == user.id): wc.sort_field = props.get('priority') wc.save() except WidgetConfig.DoesNotExist: pass messages.info(request, _('Your changes have been saved.')) return JsonResponse({'status': 'ok'}, safe=False)
def wrapper(self, request, *args, **kwargs): url_kwarg = group_url_kwarg or getattr(self, 'group_url_kwarg', 'group') attr = group_attr or getattr(self, 'group_attr', 'group') group_name = kwargs.get(url_kwarg, None) if not group_name: return HttpResponseNotFound(_("No team provided")) group = get_group_for_request(group_name, request) user = request.user deactivated_app_error = _check_deactivated_app_access( self, group, request) if deactivated_app_error: return deactivated_app_error if not user.is_authenticated: return redirect_to_not_logged_in(request, view=self, group=group) if check_object_write_access(group, user): setattr(self, attr, group) return function(self, request, *args, **kwargs) # Access denied, redirect to 403 page and and display an error message return redirect_to_403(request, self, group=group)
def has_write_access(user, obj): """ Template filter to check if a user can edit/update/delete an object (either CosinnusGroup or BaseTaggableObject). If a CosinnusGroup is supplied, this will check if the user is a group admin or a site admin. This factors in all aspects of superusers and group memberships. """ return check_object_write_access(obj, user)
def dispatch(self, request, *args, **kwargs): """ Assure write access to group """ group_name = kwargs.get(self.group_url_kwarg, None) group = get_group_for_request(group_name, request) self.group = group if (check_object_write_access(self.group, request.user)): return super(GroupMicrosite, self).dispatch(request, *args, **kwargs) # Access denied, redirect to 403 page and and display an error message return redirect_to_403(request)
def delete(self, request, *args, **kwargs): todolist = self.get_object() list_todos = todolist.todos.all() if not all([ check_object_write_access(todo, request.user) for todo in list_todos ]): messages.error( request, _('You cannot delete this folder because you do not have permission to delete one or more items it contains!' )) return HttpResponseRedirect(todolist.get_absolute_url()) return super(TodoListDeleteView, self).delete(request, *args, **kwargs)
def wrapper(self, request, *args, **kwargs): url_kwarg = group_url_kwarg or getattr(self, 'group_url_kwarg', 'group') attr = group_attr or getattr(self, 'group_attr', 'group') group_name = kwargs.get(url_kwarg, None) if not group_name: return HttpResponseNotFound(_("No team provided")) group = get_group_for_request(group_name, request) user = request.user # set the group attr setattr(self, attr, group) # catch anyonymous users trying to naviagte to private groups (else self.get_object() throws a Http404!) if not group.public and not user.is_authenticated: return redirect_to_not_logged_in(request, view=self, group=group) deactivated_app_error = _check_deactivated_app_access( self, group, request) if deactivated_app_error: return deactivated_app_error requested_object = None try: requested_object = self.get_object() except (AttributeError, TypeError): pass # objects can never be written by non-logged in members if not user.is_authenticated: return redirect_to_not_logged_in(request, view=self, group=group) if requested_object: # editing/deleting an object, check if we are owner or staff member or group admin or site admin if check_object_write_access(requested_object, user): return function(self, request, *args, **kwargs) else: # creating a new object, check if we can create objects in the group if check_group_create_objects_access(group, user): return function(self, request, *args, **kwargs) # Access denied, redirect to 403 page and and display an error message return redirect_to_403(request, self, group=group)
def wrapper(request, *args, **kwargs): group_name = kwargs.get(group_url_arg, None) if not group_name: return HttpResponseNotFound(_("No team provided")) group = get_group_for_request(group_name, request) user = request.user if not user.is_authenticated: return redirect_to_not_logged_in(request, view=self, group=group) if check_object_write_access(group, user): kwargs['group'] = group return function(request, *args, **kwargs) # Access denied, redirect to 403 page and and display an error message return redirect_to_403(request, self, group=group)
def dispatch(self, request, *args, **kwargs): """ Only allow owners to see inactive offers """ try: self.group = get_group_for_request(kwargs.get('group'), request) offer = self.get_object() if not offer.is_active and not check_object_write_access( offer, request.user): messages.error( request, _('The offer you requested is no longer active. Sorry!')) return redirect( group_aware_reverse('cosinnus:marketplace:list', kwargs={'group': self.group})) return super(OfferDetailView, self).dispatch(request, *args, **kwargs) except CosinnusPermissionDeniedException: return redirect_to_not_logged_in(request, view=self)
def wrapper(self, request, *args, **kwargs): user = request.user # catch anyonymous users trying to naviagte here if not user.is_authenticated: return redirect_to_not_logged_in(request, view=self) requested_object = None try: requested_object = self.get_object() except (AttributeError, TypeError): pass if requested_object: # editing/deleting an object, check if we are owner or staff member or group admin or site admin if check_object_write_access(requested_object, user): return function(self, request, *args, **kwargs) # Access denied, redirect to 403 page and and display an error message return redirect_to_403(request, self)
def _delete_object(self, obj, request): """ Sanity check: only delete a container if it is empty (there should only be one object (the container itself) with the path, because we have deleted all its objects before it! Returns 1 if given object could be deleted, 0 otherwise. That's handy for accumulating the sum of deleted objects """ if obj.is_container: container_objects = self._get_objects_in_path(obj.path) if len(container_objects) > 1: msg = _( 'Container "%(title)s" could not be deleted because it contained objects that could not be deleted.' ) % { 'title': obj.title, } messages.error(request, msg) return 0 if not check_object_write_access(obj, request.user): messages.error( request, _('You do not have permissions to delete "%(title)s".') % {'title': obj.title}) return 0 deleted_pk = obj.pk obj.delete() # check if deletion was successful try: check_obj = self.model.objects.get(pk=deleted_pk) msg = _('Object "%(title)s" could not be deleted.') % { 'title': check_obj.title, } messages.error(request, msg) return 0 except self.model.DoesNotExist: return 1
def entry_toggle_complete_me_view_api(request, pk, group): """ Logs the user specified by the `authentication_form` in. """ if request.method == "POST": # TODO: Django<=1.5: Django 1.6 removed the cookie check in favor of CSRF request.session.set_test_cookie() pk = request.POST.get('pk') is_completed = request.POST.get('is_completed') instance = get_object_or_404(TodoEntry, pk=pk) if not check_object_write_access(instance, request.user): return JSONResponse( 'You do not have the necessary permissions to modify this object!', status=403) if is_completed == "true": instance.completed_by = request.user instance.completed_date = now() if instance.completed_by != instance.creator: sender = instance sender.request = request cosinnus_notifications.user_completed_my_todo.send( sender=sender, user=instance.completed_by, obj=instance, audience=[instance.creator]) else: instance.completed_by = None instance.completed_date = None instance.save() return JSONResponse({ 'status': 'success', 'is_completed': instance.is_completed })
def grant_extra_write_permissions(self, user, fields=None): return check_object_write_access(self.group, user)
def check_write_permissions(self, obj, user, **kwargs): """ Permissions check if ``user`` may modify ``obj``. It is highly recommended to override this method! """ return check_object_write_access(obj, user, **kwargs)