def move_thread(request, forum_slug, thread_id): """Move a thread.""" forum = get_object_or_404(Forum, slug=forum_slug) thread = get_object_or_404(Thread, pk=thread_id, forum=forum) user = request.user new_forum_id = request.POST.get('forum') new_forum = get_object_or_404(Forum, id=new_forum_id) # Don't admit that unviewable forums exist or allow escalation of privs by # moving things to a looser forum: if not (forum.allows_viewing_by(user) and new_forum.allows_viewing_by(user)): raise Http404 # Don't allow the equivalent of posting here by posting elsewhere then # moving: if not new_forum.allows_posting_by(user): raise PermissionDenied if not (has_perm(user, 'forums_forum.thread_move_forum', new_forum) and has_perm(user, 'forums_forum.thread_move_forum', forum)): raise PermissionDenied log.warning('User %s is moving thread with id=%s to forum with id=%s' % (user, thread.id, new_forum_id)) thread.forum = new_forum thread.save() return HttpResponseRedirect(thread.get_absolute_url())
def has_perm(context, perm, obj): """ Check if the user has a permission on a specific object. Returns boolean. """ return access.has_perm(context['request'].user, perm, obj)
def test_admin_perm_thread(self): """Super user can do anything on any forum.""" admin = User.objects.get(pk=1) # Loop over all forums perms and both forums perms = ('thread_edit_forum', 'thread_delete_forum', 'post_edit_forum', 'thread_sticky_forum', 'thread_locked_forum', 'post_delete_forum') forums = (self.forum_1, self.forum_2) for perm in perms: for forum in forums: assert access.has_perm(admin, 'forums_forum.' + perm, forum)
def allows_posting_by(self, user): """Return whether a user can make threads and posts in me.""" return (self._allows_public_posting() or has_perm(user, 'forums_forum.post_in_forum', self))
def allows_viewing_by(self, user): """Return whether a user can view me, my threads, and their posts.""" return (self._allows_public_viewing() or has_perm(user, 'forums_forum.view_in_forum', self))
def test_has_perm_per_object(self): """Assert has_perm checks per-object permissions correctly.""" user = User.objects.get(pk=47963) perm = 'forums_forum.thread_edit_forum' assert access.has_perm(user, perm, self.forum_1) assert not access.has_perm(user, perm, self.forum_2)