def is_group_member(user, group):
"""Template filter to check if the given user is a member of the given
group.
.. seealso:: func:`cosinnus.utils.permissions.check_ug_membership`
"""
return check_ug_membership(user, group)
def widget_detail(request, id, offset=0):
wc = get_object_or_404(WidgetConfig, id=int(id))
if not check_user_superuser(request.user) and \
wc.group and not (check_ug_membership(request.user, wc.group) or \
wc.group.public or wc.type == WidgetConfig.TYPE_MICROSITE) or \
wc.user and wc.user_id != request.user.pk:
return HttpResponseForbidden('Access denied!')
widget_class = widget_registry.get(wc.app_name, wc.widget_name)
if widget_class is None:
return render('cosinnus/widgets/not_found.html')
widget = widget_class(request, wc)
widget_content, rows_returned, has_more = widget.get_data(int(offset))
data = {
'X-Cosinnus-Widget-Content': widget_content,
'X-Cosinnus-Widget-Title': force_text(widget.title),
'X-Cosinnus-Widget-App-Name': force_text(wc.app_name),
'X-Cosinnus-Widget-Widget-Name': force_text(wc.widget_name),
'X-Cosinnus-Widget-Num-Rows-Returned': rows_returned,
'X-Cosinnus-Widget-Has-More-Data': 'true' if has_more else 'false',
}
title_url = widget.title_url
if title_url is not None:
data['X-Cosinnus-Widget-Title-URL'] = force_text(title_url)
return JSONResponse(data)
def __init__(self, haystack_result, obj, user, *args, **kwargs):
kwargs.update({
'is_superuser':
check_user_superuser(user),
'is_member':
check_ug_membership(user, obj),
'is_pending':
check_ug_pending(user, obj),
'is_invited':
check_ug_invited_pending(user, obj),
'creator_name':
obj.creator and obj.creator.get_full_name(),
'creator_slug':
obj.creator and obj.creator.username,
'title':
obj.name,
'organization_type':
obj.get_type(),
'website_url':
obj.website,
'email':
obj.email,
'phone_number':
obj.phone_number.as_international if obj.phone_number else None,
'social_media': [{
'url': sm.url,
'icon': sm.icon
} for sm in obj.social_media.all()],
'edit_url':
obj.get_edit_url(),
'accept_url':
reverse('cosinnus:organization-user-accept',
kwargs={'organization': obj.slug}),
})
# collect administrator users. these are *not* filtered by visibility, as project admins are always visible!
sqs = SearchQuerySet().models(SEARCH_MODEL_NAMES_REVERSE['people'])
sqs = sqs.filter_and(admin_organizations=obj.id)
#sqs = filter_searchqueryset_for_read_access(sqs, user)
# private users are not visible to anonymous users, BUT they are visible to logged in users!
# because if a user chose to make his group visible, he has to take authorship responsibilities
if not user.is_authenticated:
sqs = filter_searchqueryset_for_read_access(sqs, user)
kwargs.update(
{'admins': [HaystackUserMapCard(result) for result in sqs]})
# Groups
sqs = SearchQuerySet().models(SEARCH_MODEL_NAMES_REVERSE['projects'],
SEARCH_MODEL_NAMES_REVERSE['groups'])
sqs = sqs.filter_and(id__in=haystack_result.groups)
sqs = filter_searchqueryset_for_read_access(sqs, user)
sqs = sqs.order_by('title')
kwargs.update(
{'groups': [HaystackGroupMapCard(result) for result in sqs]})
super(DetailedOrganizationMapResult,
self).__init__(haystack_result, obj, user, *args, **kwargs)
def __init__(self, haystack_result, obj, user, *args, **kwargs):
group_admins = list(obj.actual_admins)
message_url = None
if not settings.COSINNUS_IS_INTEGRATED_PORTAL:
message_url = message_group_admins_url(obj, group_admins)
kwargs.update({
'is_member':
check_ug_membership(user, obj),
'is_pending':
check_ug_pending(user, obj),
'is_invited':
check_ug_invited_pending(user, obj),
'action_url_1':
_prepend_url(user, obj.portal) +
group_aware_reverse('cosinnus:group-microsite',
kwargs={'group': obj},
skip_domain=True) + '?join=1',
'action_url_2': (_prepend_url(user, obj.portal) +
message_url) if message_url else None,
'youtube_url':
obj.video,
'twitter_username':
obj.twitter_username,
'flickr_url':
obj.flickr_url,
'website_url':
obj.website,
'contact':
linebreaksbr(escape(obj.contact_info)),
})
""" TODO: check all read permissions on related objects! """
# collect upcoming and visible project/group events
sqs = SearchQuerySet().models(SEARCH_MODEL_NAMES_REVERSE['events'])
sqs = sqs.filter_and(group=obj.id)
sqs = filter_searchqueryset_for_read_access(sqs, user)
sqs = filter_event_searchqueryset_by_upcoming(sqs)
sqs = sqs.order_by('from_date')
kwargs.update(
{'events': [HaystackEventMapCard(result) for result in sqs]})
# collect administrator users. these are *not* filtered by visibility, as project admins are always visible!
sqs = SearchQuerySet().models(SEARCH_MODEL_NAMES_REVERSE['people'])
sqs = sqs.filter_and(admin_groups=obj.id)
#sqs = filter_searchqueryset_for_read_access(sqs, user)
sqs = sqs.order_by('title')
kwargs.update(
{'admins': [HaystackUserMapCard(result) for result in sqs]})
return super(DetailedBaseGroupMapResult,
self).__init__(haystack_result, obj, user, *args,
**kwargs)
def dispatch(self, request, *args, **kwargs):
self.object = self.get_object()
poll = self.object
self.mode = 'view'
if poll.state == Poll.STATE_VOTING_OPEN and request.user.is_authenticated:
if check_object_read_access(poll, request.user) and (
poll.anyone_can_vote
or check_ug_membership(request.user, self.group)):
self.mode = 'vote'
try:
return super(PollVoteView, self).dispatch(request, *args, **kwargs)
except Redirect:
return HttpResponseRedirect(self.object.get_absolute_url())
def grant_extra_write_permissions(self, user, **kwargs):
""" An overridable check for whether this object grants certain users write permissions
even though by general rules that user couldn't write the object.
For todos, users who are assigned this todo can write to it to finish or reassign it.
@param user: The user to check for extra permissions for """
only_public_fields = False
fields = kwargs.get('fields', None)
if fields:
# if only a change to todo.assigned_to is requested,
# we allow that change if the user is a member of the todo's group
if len(fields) == 1 and 'assigned_to' in fields:
only_public_fields = check_ug_membership(user, self.group)
return only_public_fields or self.assigned_to == user
def __init__(self, haystack_result, obj, user, *args, **kwargs):
kwargs.update({
'is_member': check_ug_membership(user, obj.group),
'time_html': haystack_result.humanized_event_time_html,
})
# collect visible attending users
sqs = SearchQuerySet().models(SEARCH_MODEL_NAMES_REVERSE['people'])
sqs = sqs.filter_and(user_id__in=haystack_result.participants)
sqs = filter_searchqueryset_for_read_access(sqs, user)
sqs = sqs.order_by('title')
kwargs.update({
'participants': [HaystackUserMapCard(result) for result in sqs],
'participant_count': haystack_result.participant_count,
'followed': obj.is_user_following(user),
})
return super(DetailedEventResult, self).__init__(haystack_result, obj, user, *args, **kwargs)
def check_all_permissions(self, request, *args, **kwargs):
super(RequireGroupMember,
self).check_all_permissions(request, *args, **kwargs)
group_slug = kwargs.get('group', None)
if group_slug is None:
raise PermissionDenied
try:
self.group = CosinnusGroup.objects.get(slug=group_slug)
except CosinnusGroup.DoesNotExist:
raise PermissionDenied
user = request.user
if not (check_user_superuser(user)
or check_ug_membership(user, self.group)):
raise PermissionDenied
def wrapper(self, request, *args, **kwargs):
group_name = kwargs.get(group_url_kwarg, None)
if not group_name:
return HttpResponseNotFound(_("No group provided"))
try:
group = CosinnusGroup.objects.get(slug=group_name)
except CosinnusGroup.DoesNotExist:
return HttpResponseNotFound(_("No group found with this name"))
user = request.user
if group.public or user.is_superuser or \
check_ug_membership(user, group):
setattr(self, group_attr, group)
return function(self, request, *args, **kwargs)
return HttpResponseForbidden(_("Access denied"))
def widget_detail(request, id):
wc = get_object_or_404(WidgetConfig, id=int(id))
if wc.group and not (check_ug_membership(request.user, wc.group) or
wc.group.public) or \
wc.user and wc.user_id != request.user.pk:
return HttpResponseForbidden('Access denied!')
widget_class = widget_registry.get(wc.app_name, wc.widget_name)
widget = widget_class(request, wc)
data = widget.get_data()
if isinstance(data, six.string_types):
resp = HttpResponse(data)
else:
resp = JSONResponse(data)
resp['X-Cosinnus-Widget-Title'] = force_text(widget.title)
if widget.title_url is not None:
resp['X-Cosinnus-Widget-Title-URL'] = force_text(widget.title_url)
resp['X-Cosinnus-Widget-App-Name'] = force_text(wc.app_name)
resp['X-Cosinnus-Widget-Widget-Name'] = force_text(wc.widget_name)
return resp
def get_management_urls(self, obj):
user = self.context['request'].user
management_urls = {}
# available for all members
if check_ug_membership(user, obj) or check_user_superuser(user):
management_urls.update({
'manage_memberships':
group_aware_reverse('cosinnus:group-detail',
kwargs={'group': obj})
})
if check_ug_admin(user, obj) or check_user_superuser(user):
management_urls.update({
'manage_conference':
group_aware_reverse('cosinnus:group-edit',
kwargs={'group': obj}),
'manage_rooms':
group_aware_reverse('cosinnus:conference:room-management',
kwargs={'group': obj}),
'manage_events':
group_aware_reverse('cosinnus:event:conference-event-list',
kwargs={'group': obj}),
})
return management_urls
def process_request(self, request):
# pokemon exception handling
try:
global GROUP_TYPES
if GROUP_TYPES is None:
from cosinnus.core.registries.group_models import group_model_registry
GROUP_TYPES = [url_key for url_key in group_model_registry]
# split URL into non-empty parts
request_tokens = request.build_absolute_uri().split('/')
request_tokens = [
token for token in request_tokens
if token and not token.startswith('?')
]
# if URL might be a link to a group
if len(request_tokens) >= 4:
group_type = request_tokens[2]
group_slug = request_tokens[3]
if group_type in GROUP_TYPES:
# check permanent redirects to a group
to_group = CosinnusPermanentRedirect(
).get_group_for_pattern(CosinnusPortal().get_current(),
group_type, group_slug)
if to_group:
# redirect to the redirect with HttpResponsePermanentRedirect
redirect_url = ''.join((to_group.get_absolute_url(),
'/'.join(request_tokens[4:])))
if not getattr(
settings,
'COSINNUS_PERMANENT_REDIRECT_HIDE_USER_MESSAGE',
False):
messages.success(
request,
_('This team no longer resides under the URL you entered. You have been redirected automatically to the current location.'
))
return HttpResponseRedirect(redirect_url)
# check user-specific redirects (forcing users out of certain group urls
if request.user.is_authenticated:
from cosinnus.core.registries.group_models import group_model_registry
target_group_cls = group_model_registry.get(group_type)
portal = CosinnusPortal().get_current()
target_group = get_object_or_None(target_group_cls,
portal=portal,
slug=group_slug)
# *** Conferences: redirect most URLs to conference page ***
# if the group is a conference group, and the user is only a member, not an admin:
if target_group and target_group.group_is_conference:
is_admin = check_ug_admin(
request.user,
target_group) or check_user_superuser(
request.user, portal)
if settings.COSINNUS_CONFERENCES_USE_COMPACT_MODE:
# in a special setting, normal users are locked to the microsite,
# except for the conference application view and any event views
if len(request_tokens) > 4 and not (is_admin or \
(len(request_tokens) >= 6 and request_tokens[5] in ['apply',]) or \
(len(request_tokens) >= 5 and request_tokens[4] in ['event', 'join', 'decline', 'accept', 'withdraw', 'leave'])):
return HttpResponseRedirect(
target_group.get_absolute_url())
elif check_ug_membership(request.user,
target_group):
# normal users only have access to the conference page of a conference group (and the management views)
if len(request_tokens) <= 4 or (
request_tokens[4] not in [
'conference', 'members', 'leave'
] and not is_admin):
# bounce user to the conference start page (admins get bounced on index page)
return HttpResponseRedirect(
group_aware_reverse(
'cosinnus:conference:index',
kwargs={'group': target_group}))
except Exception as e:
if settings.DEBUG:
raise
logger.error(
'cosinnus.GroupPermanentRedirectMiddleware: Error while processing possible group redirect!',
extra={'exception', force_text(e)})
def grant_extra_read_permissions(self, user):
""" Group members may read etherpads if they are not private """
is_private = False
if self.media_tag:
is_private = self.media_tag.visibility == BaseTagObject.VISIBILITY_USER
return check_ug_membership(user, self.group) and not is_private
def grant_extra_write_permissions(self, user, **kwargs):
""" Group members may write/delete todolists """
return check_ug_membership(user, self.group)
def grant_extra_read_permissions(self, user):
""" Group members may read todolists """
return check_ug_membership(user, self.group)
def __init__(self, haystack_result, obj, user, *args, **kwargs):
message_url = None
if not settings.COSINNUS_IS_INTEGRATED_PORTAL and not 'cosinnus_message' in settings.COSINNUS_DISABLED_COSINNUS_APPS:
if settings.COSINNUS_ROCKET_ENABLED:
message_url = reverse('cosinnus:message-write-group',
kwargs={'slug': obj.slug})
else:
group_admins = list(obj.actual_admins)
message_url = message_group_admins_url(obj, group_admins)
kwargs.update({
'is_member':
check_ug_membership(user, obj),
'is_pending':
check_ug_pending(user, obj),
'is_invited':
check_ug_invited_pending(user, obj),
'action_url_1':
_prepend_url(user, obj.portal) +
group_aware_reverse('cosinnus:group-microsite',
kwargs={'group': obj},
skip_domain=True) + '?join=1',
'action_url_2': (_prepend_url(user, obj.portal) +
message_url) if message_url else None,
'youtube_url':
obj.video,
'twitter_username':
obj.twitter_username,
'flickr_url':
obj.flickr_url,
'website_url':
obj.website,
'contact':
linebreaksbr(escape(obj.contact_info)),
'followed':
obj.is_user_following(user),
'starred':
obj.is_user_starring(user)
})
""" TODO: check all read permissions on related objects! """
# collect upcoming and visible project/group events
sqs = SearchQuerySet().models(SEARCH_MODEL_NAMES_REVERSE['events'])
sqs = sqs.filter_and(group=obj.id)
sqs = filter_searchqueryset_for_read_access(sqs, user)
sqs = filter_event_searchqueryset_by_upcoming(sqs)
sqs = sqs.order_by('from_date')
kwargs.update(
{'events': [HaystackEventMapCard(result) for result in sqs]})
# collect administrator users. these are *not* filtered by visibility, as project admins are always visible!
sqs = SearchQuerySet().models(SEARCH_MODEL_NAMES_REVERSE['people'])
sqs = sqs.filter_and(admin_groups=obj.id)
#sqs = filter_searchqueryset_for_read_access(sqs, user)
sqs = sqs.order_by('title')
# private users are not visible to anonymous users, BUT they are visible to logged in users!
# because if a user chose to make his group visible, he has to take authorship responsibilities
if not user.is_authenticated:
sqs = filter_searchqueryset_for_read_access(sqs, user)
kwargs.update(
{'admins': [HaystackUserMapCard(result) for result in sqs]})
if settings.COSINNUS_ORGANIZATIONS_ENABLED:
sqs = SearchQuerySet().models(
SEARCH_MODEL_NAMES_REVERSE['organizations'])
sqs = sqs.filter_and(groups=obj.id)
sqs = filter_searchqueryset_for_read_access(sqs, user)
sqs = sqs.order_by('title')
kwargs.update({
'organizations':
[HaystackOrganizationMapCard(result) for result in sqs]
})
return super(DetailedBaseGroupMapResult,
self).__init__(haystack_result, obj, user, *args,
**kwargs)
