def dispatch(self, *args, **kwargs):
"""
checks permissions, requires a login and
because we are using a generic view approach to the data-models
in django BMF, we can ditch a middleware (less configuration)
and add the functionality we need for the framework to
work properly to this function.
"""
# add the site object to every request
setattr(self.request, 'djangobmf_appconfig', apps.get_app_config(bmfsettings.APP_LABEL))
setattr(self.request, 'djangobmf_site', self.request.djangobmf_appconfig.site)
# add the authenticated user and employee to the request (as a lazy queryset)
self.request.user.djangobmf = Employee(self.request.user)
# TODO ... call check_object_permission instead when objects have a model
try:
if not self.check_permissions(self.request):
return permission_denied(self.request)
except Http404:
return page_not_found(self.request)
# TODO MOVE THIS CHECK TO PERMISSIONS
# check if bmf has a employee model and if so do a validation of the
# employee instance (users, who are not employees are not allowed to access)
if self.request.user.djangobmf.has_employee and not self.request.user.djangobmf.employee:
logger.debug("User %s does not have permission to access djangobmf" % self.request.user)
if self.request.user.is_superuser:
return redirect('djangobmf:wizard', permanent=False)
else:
return permission_denied(self.request)
response = super(BaseMixin, self).dispatch(*args, **kwargs)
# Catch HTTP error codes and redirect to a bmf-specific template
if response.status_code in [400, 403, 404, 500] and not settings.DEBUG:
if response.status_code == 400:
return bad_request(self.request)
if response.status_code == 403:
return permission_denied(self.request)
if response.status_code == 404:
return page_not_found(self.request)
if response.status_code == 500:
return server_error(self.request)
return response
def test_permission_denied(self):
request = self.factory.get('/403/')
response = permission_denied(request)
self.assertEqual(response.status_code, 403)
