def has_any_page_change_permissions(request): from cms.utils.plugins import current_site return PagePermission.objects.filter( page__site=current_site(request) ).filter(( Q(user=request.user) | Q(group__in=request.user.groups.all()) )).exists()
def has_any_page_change_permissions(request): from cms.utils.plugins import current_site if not request.user.is_authenticated(): return False return request.user.is_superuser or PagePermission.objects.filter( page__site=current_site(request)).filter( (Q(user=request.user) | Q(group__in=request.user.groups.all()))).exists()
def has_any_page_change_permissions(request): from cms.utils.plugins import current_site permissions = PagePermission.objects.filter( page__site=current_site(request)).filter( Q(user=request.user) | Q(group__in=request.user.groups.all())) if permissions.count() > 0: return True return False
def has_any_page_change_permissions(request): from cms.utils.plugins import current_site if not request.user.is_authenticated(): return False return request.user.is_superuser or PagePermission.objects.filter( page__site=current_site(request) ).filter(( Q(user=request.user) | Q(group__in=request.user.groups.all()) )).exists()
def __init__(self, request, *args, **kwargs): super(CMSChangeList, self).__init__(request, *args, **kwargs) from cms.utils.plugins import current_site self._current_site = current_site(request) try: self.query_set = self.get_query_set(request) except: raise self.get_results(request) if self._current_site: request.session['cms_admin_site'] = self._current_site.pk self.set_sites(request)
def __init__(self, request, *args, **kwargs): from cms.utils.plugins import current_site self._current_site = current_site(request) super(CMSChangeList, self).__init__(request, *args, **kwargs) try: self.query_set = self.get_query_set(request) except: raise self.get_results(request) if self._current_site: request.session['cms_admin_site'] = self._current_site.pk self.set_sites(request)
def has_page_change_permission(request): """ Return true if the current user has permission to change any page. This is just used for building the tree - only superuser, or user with can_change in globalpagepermission can change a page. """ from cms.utils.plugins import current_site opts = Page._meta if request.user.is_superuser or ( request.user.has_perm(opts.app_label + '.' + opts.get_change_permission()) and ( has_global_page_permission(request, current_site(request), can_change=True)) or has_any_page_change_permissions(request)): return True return False
def has_view_permission(self, request): from cms.models.permissionmodels import PagePermission, GlobalPagePermission from cms.utils.plugins import current_site if not self.publisher_is_draft and self.publisher_public: return self.publisher_public.has_view_permission(request) # does any restriction exist? # inherited and direct is_restricted = PagePermission.objects.for_page(page=self).filter( can_view=True).exists() if request.user.is_authenticated(): site = current_site(request) global_perms_q = Q(can_view=True) & Q( Q(sites__in=[site]) | Q(sites__isnull=True)) global_view_perms = GlobalPagePermission.objects.with_user( request.user).filter(global_perms_q).exists() # a global permission was given to the request's user if global_view_perms: return True elif not is_restricted: if ((settings.CMS_PUBLIC_FOR == 'all') or (settings.CMS_PUBLIC_FOR == 'staff' and request.user.is_staff)): return True # a restricted page and an authenticated user elif is_restricted: opts = self._meta codename = '%s.view_%s' % (opts.app_label, opts.object_name.lower()) user_perm = request.user.has_perm(codename) generic_perm = self.has_generic_permission(request, "view") return (user_perm or generic_perm) else: #anonymous user if is_restricted or not settings.CMS_PUBLIC_FOR == 'all': # anyonymous user, page has restriction and global access is permitted return False else: # anonymous user, no restriction saved in database return True # Authenticated user # Django wide auth perms "can_view" or cms auth perms "can_view" opts = self._meta codename = '%s.view_%s' % (opts.app_label, opts.object_name.lower()) return (request.user.has_perm(codename) or self.has_generic_permission(request, "view"))
def has_view_permission(self, request): from cms.models.permissionmodels import PagePermission, GlobalPagePermission from cms.utils.plugins import current_site if not self.publisher_is_draft and self.publisher_public: return self.publisher_public.has_view_permission(request) # does any restriction exist? # inherited and direct is_restricted = PagePermission.objects.for_page(page=self).filter(can_view=True).exists() if request.user.is_authenticated(): site = current_site(request) global_perms_q = Q(can_view=True) & Q( Q(sites__in=[site]) | Q(sites__isnull=True) ) global_view_perms = GlobalPagePermission.objects.with_user( request.user).filter(global_perms_q).exists() # a global permission was given to the request's user if global_view_perms: return True elif not is_restricted: if ((settings.CMS_PUBLIC_FOR == 'all') or (settings.CMS_PUBLIC_FOR == 'staff' and request.user.is_staff)): return True # a restricted page and an authenticated user elif is_restricted: opts = self._meta codename = '%s.view_%s' % (opts.app_label, opts.object_name.lower()) user_perm = request.user.has_perm(codename) generic_perm = self.has_generic_permission(request, "view") return (user_perm or generic_perm) else: #anonymous user if is_restricted or not settings.CMS_PUBLIC_FOR == 'all': # anyonymous user, page has restriction and global access is permitted return False else: # anonymous user, no restriction saved in database return True # Authenticated user # Django wide auth perms "can_view" or cms auth perms "can_view" opts = self._meta codename = '%s.view_%s' % (opts.app_label, opts.object_name.lower()) return (request.user.has_perm(codename) or self.has_generic_permission(request, "view"))
def has_page_change_permission(request): """ Return true if the current user has permission to change this page. To be granted this permission, you need the cms.change_page permission. In addition, if CMS_PERMISSION is enabled you also need to either have global can_change permission or just on this page. """ from cms.utils.plugins import current_site opts = Page._meta return request.user.is_superuser or ( request.user.has_perm(opts.app_label + '.' + opts.get_change_permission()) and (not get_cms_setting('PERMISSION') or has_global_page_permission( request, current_site(request), can_change=True) or has_any_page_change_permissions(request)))
def has_page_change_permission(request): """ Return true if the current user has permission to change this page. To be granted this permission, you need the cms.change_page permission. In addition, if CMS_PERMISSION is enabled you also need to either have global can_change permission or just on this page. """ from cms.utils.plugins import current_site opts = Page._meta site = current_site(request) global_change_perm = GlobalPagePermission.objects.user_has_change_permission( request.user, site).exists() return request.user.is_superuser or ( request.user.has_perm(opts.app_label + '.' + opts.get_change_permission()) and global_change_perm or has_any_page_change_permissions(request))
def has_page_change_permission(request): """ Return true if the current user has permission to change this page. To be granted this permission, you need the cms.change_page permission. In addition, if CMS_PERMISSION is enabled you also need to either have global can_change permission or just on this page. """ from cms.utils.plugins import current_site opts = Page._meta return request.user.is_superuser or ( request.user.has_perm(opts.app_label + '.' + opts.get_change_permission()) and ( not get_cms_setting('PERMISSION') or has_global_page_permission(request, current_site(request), can_change=True) or has_any_page_change_permissions(request)))
def has_page_add_permission(request): """ Return true if the current user has permission to add a new page. This is just used for general add buttons - only superuser, or user with can_add in globalpagepermission can add page. Special case occur when page is going to be added from add page button in change list - then we have target and position there, so check if user can add page under target page will occur. """ opts = Page._meta if request.user.is_superuser: return True # if add under page target = request.GET.get('target', None) position = request.GET.get('position', None) from cms.utils.plugins import current_site site = current_site(request) if target is not None: try: page = Page.objects.get(pk=target) except Page.DoesNotExist: return False global_add_perm = GlobalPagePermission.objects.user_has_add_permission( request.user, site).exists() if (request.user.has_perm(opts.app_label + '.' + opts.get_add_permission()) and global_add_perm): return True if position in ("first-child", "last-child"): return page.has_add_permission(request) elif position in ("left", "right"): if page.parent_id: return has_generic_permission(page.parent_id, request.user, "add", page.site) else: global_add_perm = GlobalPagePermission.objects.user_has_add_permission( request.user, site).exists() if (request.user.has_perm(opts.app_label + '.' + opts.get_add_permission()) and global_add_perm): return True return False
def has_view_permission(self, request): from cms.models.permissionmodels import PagePermission, GlobalPagePermission from cms.utils.plugins import current_site # staff is allowed to see everything if request.user.is_staff and settings.CMS_PUBLIC_FOR in ('staff', 'all'): return True if not self.publisher_is_draft and self.publisher_public: return self.publisher_public.has_view_permission(request) # does any restriction exist? # direct # inherited and direct is_restricted = PagePermission.objects.for_page(self).filter(can_view=True).exists() if request.user.is_authenticated(): site = current_site(request) global_view_perms = GlobalPagePermission.objects.with_user( request.user).filter(can_view=True, sites__in=[site]).exists() # a global permission was given to the request's user if global_view_perms: return True # authenticated user, no restriction and public for all fallback if (not is_restricted and not global_view_perms and not settings.CMS_PUBLIC_FOR == 'all'): return False # authenticated user, no restriction and public for all if (not is_restricted and not global_view_perms and settings.CMS_PUBLIC_FOR == 'all'): return True else: #anonymous user if is_restricted or not settings.CMS_PUBLIC_FOR == 'all': # anyonymous user, page has restriction and global access is permitted return False else: # anonymous user, no restriction saved in database return True # Authenticated user # Django wide auth perms "can_view" or cms auth perms "can_view" opts = self._meta codename = '%s.view_%s' % (opts.app_label, opts.object_name.lower()) return (request.user.has_perm(codename) or self.has_generic_permission(request, "view"))
def get_any_page_view_permissions(request, page): from cms.utils.plugins import current_site return PagePermission.objects.filter( page__pk=page.pk, page__site=current_site(request), can_view=True)
def has_any_page_change_permissions(request): from cms.utils.plugins import current_site permissions = PagePermission.objects.filter(page__site=current_site(request)).filter(Q(user=request.user)|Q(group__in=request.user.groups.all())) if permissions.count()>0: return True return False
def get_visible_pages(request, pages, site=None): """ This code is basically a many-pages-at-once version of Page.has_view_permission. pages contains all published pages check if there is ANY restriction that needs a permission page visibility calculation """ public_for = get_cms_setting('PUBLIC_FOR') is_setting_public_all = public_for == 'all' is_setting_public_staff = public_for == 'staff' is_auth_user = request.user.is_authenticated() visible_page_ids = [] restricted_pages = defaultdict(list) page_permissions = PagePermission.objects.filter(can_view=True).select_related('page', 'group__users') for perm in page_permissions: # collect the pages that are affected by permissions if site and perm.page.site_id != site.pk: continue if perm is not None and perm not in restricted_pages[perm.page.pk]: # affective restricted pages gathering # using mptt functions # add the page with the perm itself if perm.grant_on in [ACCESS_PAGE, ACCESS_PAGE_AND_CHILDREN, ACCESS_PAGE_AND_DESCENDANTS]: restricted_pages[perm.page.pk].append(perm) restricted_pages[perm.page.publisher_public_id].append(perm) # add children if perm.grant_on in [ACCESS_CHILDREN, ACCESS_PAGE_AND_CHILDREN]: child_ids = perm.page.get_children().values_list('id', 'publisher_public_id') for id, public_id in child_ids: restricted_pages[id].append(perm) restricted_pages[public_id].append(perm) # add descendants elif perm.grant_on in [ACCESS_DESCENDANTS, ACCESS_PAGE_AND_DESCENDANTS]: child_ids = perm.page.get_descendants().values_list('id', 'publisher_public_id') for id, public_id in child_ids: restricted_pages[id].append(perm) restricted_pages[public_id].append(perm) # anonymous # no restriction applied at all if (not is_auth_user and is_setting_public_all and not restricted_pages): return [page.pk for page in pages] if site is None: site = current_site(request) # authenticated user and global permission if is_auth_user: global_page_perm_q = Q( Q(user=request.user) | Q(group__user=request.user) ) & Q(can_view=True) & Q(Q(sites__in=[site.pk]) | Q(sites__isnull=True)) global_view_perms = GlobalPagePermission.objects.filter(global_page_perm_q).exists() #no page perms edge case - all visible if ((is_setting_public_all or ( is_setting_public_staff and request.user.is_staff)) and not restricted_pages and not global_view_perms): return [page.pk for page in pages] #no page perms edge case - none visible elif (is_setting_public_staff and not request.user.is_staff and not restricted_pages and not global_view_perms): return [] def has_global_perm(): if has_global_perm.cache < 0: has_global_perm.cache = 1 if request.user.has_perm('cms.view_page') else 0 return bool(has_global_perm.cache) has_global_perm.cache = -1 def has_permission_membership(page): """ PagePermission user group membership tests """ user_pk = request.user.pk page_pk = page.pk has_perm = False for perm in restricted_pages[page_pk]: if perm.user_id == user_pk: has_perm = True if not perm.group_id: continue group_user_ids = perm.group.user_set.values_list('pk', flat=True) if user_pk in group_user_ids: has_perm = True return has_perm for page in pages: to_add = False # default to false, showing a restricted page is bad # explicitly check all the conditions # of settings and permissions is_restricted = page.pk in restricted_pages # restricted_pages contains as key any page.pk that is # affected by a permission grant_on if is_auth_user: # a global permission was given to the request's user if global_view_perms: to_add = True # setting based handling of unrestricted pages elif not is_restricted and ( is_setting_public_all or ( is_setting_public_staff and request.user.is_staff) ): # authenticated user, no restriction and public for all # or # authenticated staff user, no restriction and public for staff to_add = True # check group and user memberships to restricted pages elif is_restricted and has_permission_membership(page): to_add = True elif has_global_perm(): to_add = True # anonymous user, no restriction elif not is_restricted and is_setting_public_all: to_add = True # store it if to_add: visible_page_ids.append(page.pk) return visible_page_ids
def get_visible_pages(request, pages, site=None): """ This code is basically a many-pages-at-once version of Page.has_view_permission. pages contains all published pages check if there is ANY restriction that needs a permission page visibility calculation """ public_for = get_cms_setting('PUBLIC_FOR') is_setting_public_all = public_for == 'all' is_setting_public_staff = public_for == 'staff' is_auth_user = request.user.is_authenticated() visible_page_ids = [] restricted_pages = defaultdict(list) page_permissions = PagePermission.objects.filter( can_view=True).select_related('page', 'group__users') for perm in page_permissions: # collect the pages that are affected by permissions if site and perm.page.site_id != site.pk: continue if perm is not None and perm not in restricted_pages[perm.page.pk]: # affective restricted pages gathering # using mptt functions # add the page with the perm itself if perm.grant_on in [ ACCESS_PAGE, ACCESS_PAGE_AND_CHILDREN, ACCESS_PAGE_AND_DESCENDANTS ]: restricted_pages[perm.page.pk].append(perm) restricted_pages[perm.page.publisher_public_id].append(perm) # add children if perm.grant_on in [ACCESS_CHILDREN, ACCESS_PAGE_AND_CHILDREN]: child_ids = perm.page.get_children().values_list( 'id', 'publisher_public_id') for id, public_id in child_ids: restricted_pages[id].append(perm) restricted_pages[public_id].append(perm) # add descendants elif perm.grant_on in [ ACCESS_DESCENDANTS, ACCESS_PAGE_AND_DESCENDANTS ]: child_ids = perm.page.get_descendants().values_list( 'id', 'publisher_public_id') for id, public_id in child_ids: restricted_pages[id].append(perm) restricted_pages[public_id].append(perm) # anonymous # no restriction applied at all if (not is_auth_user and is_setting_public_all and not restricted_pages): return [page.pk for page in pages] if site is None: site = current_site(request) # authenticated user and global permission if is_auth_user: global_page_perm_q = Q( Q(user=request.user) | Q(group__user=request.user)) & Q(can_view=True) & Q( Q(sites__in=[site.pk]) | Q(sites__isnull=True)) global_view_perms = GlobalPagePermission.objects.filter( global_page_perm_q).exists() #no page perms edge case - all visible if ((is_setting_public_all or (is_setting_public_staff and request.user.is_staff)) and not restricted_pages and not global_view_perms): return [page.pk for page in pages] #no page perms edge case - none visible elif (is_setting_public_staff and not request.user.is_staff and not restricted_pages and not global_view_perms): return [] def has_global_perm(): if has_global_perm.cache < 0: has_global_perm.cache = 1 if request.user.has_perm( 'cms.view_page') else 0 return bool(has_global_perm.cache) has_global_perm.cache = -1 def has_permission_membership(page): """ PagePermission user group membership tests """ user_pk = request.user.pk page_pk = page.pk has_perm = False for perm in restricted_pages[page_pk]: if perm.user_id == user_pk: has_perm = True if not perm.group_id: continue group_user_ids = perm.group.user_set.values_list('pk', flat=True) if user_pk in group_user_ids: has_perm = True return has_perm for page in pages: to_add = False # default to false, showing a restricted page is bad # explicitly check all the conditions # of settings and permissions is_restricted = page.pk in restricted_pages # restricted_pages contains as key any page.pk that is # affected by a permission grant_on if is_auth_user: # a global permission was given to the request's user if global_view_perms: to_add = True # setting based handling of unrestricted pages elif not is_restricted and (is_setting_public_all or (is_setting_public_staff and request.user.is_staff)): # authenticated user, no restriction and public for all # or # authenticated staff user, no restriction and public for staff to_add = True # check group and user memberships to restricted pages elif is_restricted and has_permission_membership(page): to_add = True elif has_global_perm(): to_add = True # anonymous user, no restriction elif not is_restricted and is_setting_public_all: to_add = True # store it if to_add: visible_page_ids.append(page.pk) return visible_page_ids
def get_visible_pages(request, pages, site=None): # This code is basically a many-pages-at-once version of # Page.has_view_permission, check there to see wtf is going on here. if request.user.is_staff and settings.CMS_PUBLIC_FOR in ('staff', 'all'): return [page.pk for page in pages] page_ids = [] pages_perms_q = Q() for page in pages: page_q = Q(page__tree_id=page.tree_id) & ( Q(page=page) | (Q(page__level__lt=page.level) & (Q(grant_on=ACCESS_DESCENDANTS) | Q(grant_on=ACCESS_PAGE_AND_DESCENDANTS))) | (Q(page__level=page.level - 1) & (Q(grant_on=ACCESS_CHILDREN) | Q(grant_on=ACCESS_PAGE_AND_CHILDREN))) ) pages_perms_q |= page_q pages_perms_q &= Q(can_view=True) page_permissions = PagePermission.objects.filter(pages_perms_q).select_related('page', 'group__users') restricted_pages = defaultdict(list) for perm in page_permissions: restricted_pages[perm.page.pk].append(perm) if site is None: site = current_site(request) if request.user.is_authenticated(): #return self.filter(Q(user=user) | Q(group__user=user)) global_page_perm_q = Q( Q(user=request.user) | Q(group__user=request.user) ) & Q(can_view=True) & Q(Q(sites__in=[site.pk]) | Q(sites__isnull=True)) global_view_perms = GlobalPagePermission.objects.filter(global_page_perm_q).exists() def has_global_perm(): if has_global_perm.cache < 0: has_global_perm.cache = 1 if request.user.has_perm('cms.view_page') else 0 return bool(has_global_perm.cache) has_global_perm.cache = -1 def has_permission(page): """ PagePermission tests """ for perm in restricted_pages[page.pk]: if perm.user_id == request.user.pk: return True for perm in restricted_pages[page.pk]: if not perm.group_id: continue if request.user.pk in perm.group.user_set.values_list('id', flat=True): return True return False for page in pages: is_restricted = page.pk in restricted_pages if request.user.is_authenticated(): # a global permission was given to the request's user if global_view_perms: page_ids.append(page.pk) # authenticated user, no restriction and public for all elif settings.CMS_PUBLIC_FOR == 'all': page_ids.append(page.pk) elif has_permission(page): page_ids.append(page.pk) elif has_global_perm(): page_ids.append(page.pk) elif not is_restricted and settings.CMS_PUBLIC_FOR == 'all': # anonymous user, no restriction saved in database page_ids.append(page.pk) return page_ids
def get_visible_pages(request, pages, site=None): # This code is basically a many-pages-at-once version of # Page.has_view_permission, check there to see wtf is going on here. if request.user.is_staff and settings.CMS_PUBLIC_FOR in ('staff', 'all'): return [page.pk for page in pages] page_ids = [] pages_perms_q = Q() for page in pages: page_q = Q(page__tree_id=page.tree_id) & ( Q(page=page) | (Q(page__level__lt=page.level) & (Q(grant_on=ACCESS_DESCENDANTS) | Q(grant_on=ACCESS_PAGE_AND_DESCENDANTS))) | (Q(page__level=page.level - 1) & (Q(grant_on=ACCESS_CHILDREN) | Q(grant_on=ACCESS_PAGE_AND_CHILDREN)))) pages_perms_q |= page_q pages_perms_q &= Q(can_view=True) page_permissions = PagePermission.objects.filter( pages_perms_q).select_related('page', 'group__users') restricted_pages = defaultdict(list) for perm in page_permissions: restricted_pages[perm.page.pk].append(perm) if site is None: site = current_site(request) if request.user.is_authenticated(): #return self.filter(Q(user=user) | Q(group__user=user)) global_page_perm_q = Q( Q(user=request.user) | Q(group__user=request.user)) & Q(can_view=True) & Q( Q(sites__in=[site.pk]) | Q(sites__isnull=True)) global_view_perms = GlobalPagePermission.objects.filter( global_page_perm_q).exists() def has_global_perm(): if has_global_perm.cache < 0: has_global_perm.cache = 1 if request.user.has_perm( 'cms.view_page') else 0 return bool(has_global_perm.cache) has_global_perm.cache = -1 def has_permission(page): """ PagePermission tests """ for perm in restricted_pages[page.pk]: if perm.user_id == request.user.pk: return True for perm in restricted_pages[page.pk]: if not perm.group_id: continue if request.user.pk in perm.group.user_set.values_list('id', flat=True): return True return False for page in pages: is_restricted = page.pk in restricted_pages if request.user.is_authenticated(): # a global permission was given to the request's user if global_view_perms: page_ids.append(page.pk) # authenticated user, no restriction and public for all elif settings.CMS_PUBLIC_FOR == 'all': page_ids.append(page.pk) elif has_permission(page): page_ids.append(page.pk) elif has_global_perm(): page_ids.append(page.pk) elif not is_restricted and settings.CMS_PUBLIC_FOR == 'all': # anonymous user, no restriction saved in database page_ids.append(page.pk) return page_ids
def has_page_change_permission(request): """Return true if the current user has permission to change any page. This is just used for building the tree - only superuser, or user with can_change in globalpagepermission can change a page. """ from cms.utils.plugins import current_site opts = Page._meta if request.user.is_superuser or \ (request.user.has_perm(opts.app_label + '.' + opts.get_change_permission()) and (GlobalPagePermission.objects.with_user(request.user).filter(can_change=True, sites__in=[current_site(request)]).count()>0) or has_any_page_change_permissions(request)): return True return False