def test_util_has_perm_or_owns_sanity(self): """Sanity check for access.has_perm_or_owns.""" from kitsune.forums.tests import ThreadFactory me = UserFactory() my_t = ThreadFactory(creator=me) other_t = ThreadFactory() perm = 'forums_forum.thread_edit_forum' allowed = access.has_perm_or_owns(me, perm, my_t, my_t.forum) eq_(allowed, True) allowed = access.has_perm_or_owns(me, perm, other_t, other_t.forum) eq_(allowed, False)
def has_perm_or_owns(context, perm, obj, perm_obj, field_name='creator'): """ Check if the user has a permission or owns the object. Ownership is determined by comparing perm_obj.field_name to the user in context. """ user = context['request'].user if user.is_anonymous: return False return access.has_perm_or_owns(user, perm, obj, perm_obj, field_name)
def has_perm_or_owns(context, perm, obj, perm_obj, field_name='creator'): """ Check if the user has a permission or owns the object. Ownership is determined by comparing perm_obj.field_name to the user in context. """ user = context['request'].user if user.is_anonymous(): return False return access.has_perm_or_owns(user, perm, obj, perm_obj, field_name)
def _wrapped_view(request, *args, **kwargs): # based on authority/decorators.py user = request.user if user.is_authenticated(): obj = _resolve_lookup(obj_lookup, kwargs) perm_obj = _resolve_lookup(perm_obj_lookup, kwargs) granted = access.has_perm_or_owns(user, perm, obj, perm_obj, owner_attr) if granted or user.has_perm(perm): return view_func(request, *args, **kwargs) # In all other cases, permission denied return HttpResponseForbidden()