def test_util_has_perm_or_owns_sanity(self): """Sanity check for access.has_perm_or_owns.""" me = User.objects.get(pk=118533) my_t = Thread.objects.filter(creator=me)[0] other_t = Thread.objects.exclude(creator=me)[0] perm = 'forums_forum.thread_edit_forum' allowed = access.has_perm_or_owns(me, perm, my_t, self.forum_1) eq_(allowed, True) allowed = access.has_perm_or_owns(me, perm, other_t, self.forum_1) eq_(allowed, False)
def test_util_has_perm_or_owns_sanity(self): """Sanity check for access.has_perm_or_owns.""" from kitsune.forums.tests import thread me = user(save=True) my_t = thread(creator=me, save=True) other_t = thread(save=True) perm = 'forums_forum.thread_edit_forum' allowed = access.has_perm_or_owns(me, perm, my_t, my_t.forum) eq_(allowed, True) allowed = access.has_perm_or_owns(me, perm, other_t, other_t.forum) eq_(allowed, False)
def test_util_has_perm_or_owns_sanity(self): """Sanity check for access.has_perm_or_owns.""" from kitsune.forums.tests import ThreadFactory me = UserFactory() my_t = ThreadFactory(creator=me) other_t = ThreadFactory() perm = 'forums_forum.thread_edit_forum' allowed = access.has_perm_or_owns(me, perm, my_t, my_t.forum) eq_(allowed, True) allowed = access.has_perm_or_owns(me, perm, other_t, other_t.forum) eq_(allowed, False)
def test_util_has_perm_or_owns_sanity(self): """Sanity check for access.has_perm_or_owns.""" from kitsune.forums.tests import ThreadFactory me = UserFactory() my_t = ThreadFactory(creator=me) other_t = ThreadFactory() perm = "forums_forum.thread_edit_forum" allowed = access.has_perm_or_owns(me, perm, my_t, my_t.forum) eq_(allowed, True) allowed = access.has_perm_or_owns(me, perm, other_t, other_t.forum) eq_(allowed, False)
def has_perm_or_owns(context, perm, obj, perm_obj, field_name='creator'): """ Check if the user has a permission or owns the object. Ownership is determined by comparing perm_obj.field_name to the user in context. """ user = context['request'].user if user.is_anonymous(): return False return access.has_perm_or_owns(user, perm, obj, perm_obj, field_name)
def _wrapped_view(request, *args, **kwargs): # based on authority/decorators.py user = request.user if user.is_authenticated(): obj = _resolve_lookup(obj_lookup, kwargs) perm_obj = _resolve_lookup(perm_obj_lookup, kwargs) granted = access.has_perm_or_owns(user, perm, obj, perm_obj, owner_attr) if granted or user.has_perm(perm): return view_func(request, *args, **kwargs) # In all other cases, permission denied return HttpResponseForbidden()