def _check_global_or_local_perm(request, *args, **kwargs): if must_be_logged_in and not is_authenticated(request): if not api: raise UnauthorizedException('Should be logged in') else: return rc.FORBIDDEN if has_perm(request, global_perm_name, text=None): return view_func(request, *args, **kwargs) if cm_settings.NO_SECURITY: return view_func(request, *args, **kwargs) if 'key' in kwargs: text = get_object_or_404(Text, key=kwargs['key']) else: raise Exception('no security check possible') # in api, the view has an object as first parameter, request is args[0] if not api: req = request else: req = args[0] if has_perm(req, perm_name, text=text): return view_func(request, *args, **kwargs) if not api: raise UnauthorizedException('No perm %s' % perm_name) else: return rc.FORBIDDEN raise UnauthorizedException('No global perm %s nor local perm %s' % (global_perm_name, perm_name))
def _check_local_perm(request, *args, **kwargs): if cm_settings.NO_SECURITY: return view_func(request, *args, **kwargs) if must_be_logged_in and not is_authenticated(request): if not api: raise UnauthorizedException('Should be logged in') else: return rc.FORBIDDEN if 'key' in kwargs: text = get_object_or_404(Text, key=kwargs['key']) else: raise Exception('no security check possible') # in api, the view has an object as first parameter, request is args[0] if not api: req = request else: req = args[0] if has_perm(req, perm_name, text=text): return view_func(request, *args, **kwargs) #else: # TODO: (? useful ?) if some user have the perm and not logged-in : redirect to login #if not request.user.is_authenticated() and number_has_perm_on_text(permission, text_id) > 0: # return HttpResponseRedirect('%s?%s=%s' % (login_url, redirect_field_name, urlquote(request.get_full_path()))) # else : unauthorized if not api: raise UnauthorizedException('No perm %s' % perm_name) else: return rc.FORBIDDEN
def _check_global_perm(request, *args, **kwargs): if must_be_logged_in and not is_authenticated(request): raise UnauthorizedException('Should be logged in') if has_perm(request, perm_name, text=None): return view_func(request, *args, **kwargs) raise UnauthorizedException('No global perm %s' % perm_name)
def text_delete(request, key): text = Text.objects.get(key=key) if request.method != 'POST': raise UnauthorizedException('Unauthorized') display_message(request, _(u'Text %(text_title)s deleted') %{'text_title':text.title}) register_activity(request, "text_removed", text=text) text.delete() return HttpResponse('') # no redirect because this is called by js
def text_revert(request, key, text_version_key): if request.method != 'POST': raise UnauthorizedException('Unauthorized') text = get_text_by_keys_or_404(key) text_version = text.revert_to_version(text_version_key) display_message(request, _(u'A new version (copied from version %(version_title)s) has been created') % {'version_title':text_version.title}) return HttpResponse('') # no redirect because this is called by js
def user_send_invitation(request, key): if request.method == 'POST': profile = get_object_or_404(UserProfile, key=key) profile.send_invitation_email() display_message( request, _(u"A new invitation has been sent to user %(prof)s.") % {'prof': profile.simple_print()}) return HttpResponse('') # no redirect because this is called by js raise UnauthorizedException('')
def get_text_and_admin(key, adminkey, assert_admin = False): """ assert_admin => redirect to unauthorized if not admin """ admin = False if adminkey: text = Text.objects.get(key = key, adminkey = adminkey) if text: admin = True else: text = Text.objects.get(key=key) if assert_admin and not admin: raise UnauthorizedException('Is not admin') return text, admin
def text_list(request): paginate_by = get_int(request.GET,'paginate',TEXT_PAGINATION) tag_selected = request.GET.get('tag_selected', 0) order_by = get_among(request.GET,'order',('title','author','modified','-title','-author','-modified'),'-modified') if request.method == 'POST': action = request.POST.get('action',None) text_keys = get_keys_from_dict(request.POST, 'check-').keys() if action == 'delete': for text_key in text_keys: text = Text.objects.get(key=text_key) if has_perm(request, 'can_delete_text', text=text): text.delete() else: raise UnauthorizedException('No perm can_delete_text on comment') display_message(request, _(u'%(nb_texts)i text(s) deleted') %{'nb_texts':len(text_keys)}) return HttpResponseRedirect(reverse('text')) texts = get_texts_with_perm(request, 'can_view_text').order_by(order_by) try: tag_list = Tag.objects.usage_for_queryset(TextVersion.objects.filter(id__in = [t.last_text_version_id for t in get_texts_with_perm(request, 'can_view_text')])) except EmptyResultSet: tag_list = [] context = { 'tag_list' : tag_list, 'tag_selected': tag_selected, } if tag_selected: tag_ids = Tag.objects.filter(name=tag_selected) if tag_ids: content_type_id = ContentType.objects.get_for_model(TextVersion).pk # table cm_userprofile is not present if display_suspended_users: fix this texts = texts.extra(where=['tagging_taggeditem.object_id = cm_text.last_text_version_id', 'tagging_taggeditem.content_type_id = %i' %content_type_id, 'tagging_taggeditem.tag_id = %i' %tag_ids[0].id], tables=['tagging_taggeditem'], ) return object_list(request, texts, template_name = 'site/text_list.html', paginate_by = paginate_by, extra_context=context, )
def user_activate(request, key): try: profile = UserProfile.objects.get(adminkey=key) user = profile.user if not user.is_active: if request.method == 'POST': userform = UserValidateForm(request.POST, instance=user) pwform = SetPasswordForm(profile.user, request.POST) if userform.is_valid() and pwform.is_valid(): userform.save() pwform.save() user.is_active = True user.save() # login user.backend = 'django.contrib.auth.backends.ModelBackend' django_login(request, user) register_activity(request, "user_activated", user=user) display_message( request, _(u"Your account has been activated. You're now logged-in." )) return HttpResponseRedirect(reverse('index')) else: user.username = '' userform = UserValidateForm(instance=user) pwform = SetPasswordForm(user) cache.clear() return render_to_response('site/activate.html', { 'forms': [userform, pwform], 'title': _(u'Activate your account'), 'save_name': _(u'activate account'), }, context_instance=RequestContext(request)) else: user.backend = 'django.contrib.auth.backends.ModelBackend' django_login(request, user) display_message( request, _(u"Your account has been activated. You're now logged-in.")) return HttpResponseRedirect(reverse('index')) except UserProfile.DoesNotExist: raise UnauthorizedException('No profile')
def user_enable(request, key): if request.method == 'POST': profile = get_object_or_404(UserProfile, key=key) profile.is_suspended = False profile.save() if profile.user.is_active: display_message( request, _(u"User's access %(prof)s has been restored.") % {'prof': profile.simple_print()}) register_activity(request, "user_enabled", user=profile.user) else: # new member approval profile.send_activation_email() display_message( request, _(u"User's access %(prof)s has been approved.") % {'prof': profile.simple_print()}) register_activity(request, "user_approved", user=profile.user) return HttpResponse('') # no redirect because this is called by js raise UnauthorizedException('')
def _check_local_perm(request, *args, **kwargs): if cm_settings.NO_SECURITY: return view_func(request, *args, **kwargs) if 'key' in kwargs: text = get_object_or_404(Text, key=kwargs['key']) # first try permission on text if has_perm(request, perm_name, text=text): return view_func(request, *args, **kwargs) if 'comment_key' in kwargs: comment = get_object_or_404(Comment, key=kwargs['comment_key']) if has_own_perm(request, perm_name + "_own", text, comment): return view_func(request, *args, **kwargs) else: raise Exception( 'no security check possible: no comment key') else: raise Exception('no security check possible: no text key') raise UnauthorizedException('No perm %s on comment' % perm_name)
def user_suspend(request, key): if request.method == 'POST': profile = get_object_or_404(UserProfile, key=key) profile.is_suspended = True profile.save() if profile.user.is_active: display_message( request, _(u"User's access %(prof)s has been suspended.") % {'prof': profile.simple_print()}) register_activity(request, "user_suspended", user=profile.user) else: # make use active but disabled profile.user.is_active = True profile.user.save() display_message( request, _(u"User's access %(prof)s has been refused.") % {'prof': profile.simple_print()}) register_activity(request, "user_refused", user=profile.user) return HttpResponse('') # no redirect because this is called by js raise UnauthorizedException('')