def redirect_permissions_request(request,
perm_name=None,
target_ct_id=None,
target_id=None,
permittee_ct_id=None,
permittee_id=None):
"""
Gets the target and permittee objects and passes them along with the
L{ExpedientPermission} object named by C{perm_name} to the view that's
used by the permission.
"""
permission = get_object_or_404(ExpedientPermission, name=perm_name)
target_obj_or_class = get_object_from_ids(target_ct_id, target_id)
# Change from ContentType to class
if type(target_obj_or_class) == ContentType:
target_obj_or_class = target_obj_or_class.model_class()
permittee = get_object_from_ids(permittee_ct_id, permittee_id)
if not permission.view:
raise PermissionDenied(perm_name, target_obj_or_class, permittee,
False)
view = get_callable(permission.view)
logger.debug("Calling permission view %s" % permission.view)
# no urls allowed in redirection.
redirect_to = request.session.get("from_url", '')
if not redirect_to or ' ' in redirect_to or "//" in redirect_to:
redirect_to = None
return view(request,
permission,
permittee,
target_obj_or_class,
redirect_to=redirect_to)
def must_have_permission(permittee,
target_obj_or_class,
perm_name,
allow_redirect=True):
"""
Does the object C{permittee} have the permission named by C{perm_name}
over target object or class C{target_obj_or_class}. If not, then raise
a PermissionDenied exception.
@param permittee: object that should own the permission or the keyword
argument for that object that was stored in the threadlocals
middleware.
@type permittee: L{Permittee} or C{Model} instance.
@param target_obj_or_class: The object or class for whose the permission
is being checked.
@type target_obj_or_class: C{Model} instance or C{class}.
@param perm_name: The name of the permission
@type perm_name: C{str}.
@keyword allow_redirect: Should the user be redirected if the permission
is denied to the permission's redirection URL? Default True
@type allow_redirect: C{bool}
@return: Whether or not the permittee has the permission
@rtype: C{bool}
"""
if isinstance(permittee, str):
permittee = get_permittee_from_threadlocals(permittee)
if not has_permission(permittee, target_obj_or_class, perm_name):
raise PermissionDenied(perm_name,
target_obj_or_class,
permittee,
allow_redirect=allow_redirect)
def redirect_permissions_request(request,
perm_name=None,
target_ct_id=None,
target_id=None,
user_ct_id=None,
user_id=None):
"""
Gets the target and user objects and passes them along with the
L{ExpedientPermission} object named by C{perm_name} to the view that's
used by the permission.
"""
permission = get_object_or_404(ExpedientPermission, name=perm_name)
target_obj_or_class = get_object_from_ids(target_ct_id, target_id)
# Change from ContentType to class
if type(target_obj_or_class) == ContentType:
target_obj_or_class = target_obj_or_class.model_class()
user = get_object_from_ids(user_ct_id, user_id)
if not permission.view:
raise PermissionDenied(perm_name, target_obj_or_class, user, False)
view = get_callable(permission.view)
# no urls allowed in redirection.
redirect_to = request.GET.get("next", '')
if not redirect_to or ' ' in redirect_to or "//" in redirect_to:
redirect_to = None
return view(request,
permission,
user,
target_obj_or_class,
redirect_to=redirect_to)
def reraise_permission_denied(request, perm_name=None,
target_ct_id=None, target_id=None,
permittee_ct_id=None, permittee_id=None):
"""
Raises a PermissionDenied exception for the given parameters.
"""
target_obj_or_class = get_object_from_ids(target_ct_id, target_id)
permittee = get_object_from_ids(permittee_ct_id, permittee_id)
raise PermissionDenied(perm_name, target_obj_or_class, permittee, False)
def stop_slice(self, slice):
"""Take out the resource reservation from the aggregates.
Subclasses overriding this method should call the parent class
to ensure permission checks.
"""
user = get_permittee_from_threadlocals("user")
can_use = has_permission(user, self.as_leaf_class(),
"can_use_aggregate")
can_edit = has_permission(user, self.as_leaf_class(),
"can_edit_aggregate")
if not can_use and not can_edit:
raise PermissionDenied("can_use_aggregate",
self.as_leaf_class(),
user,
allow_redirect=False)
pass