from django.contrib.sites.models import Site
from django.core.urlresolvers import reverse
from django import http
-from django.http import Http404, HttpResponse
+from django.http import Http404, HttpResponse, HttpResponseForbidden
from django.shortcuts import get_object_or_404, render, redirect
from django.utils.encoding import force_str
from django.utils.http import urlquote_plus
from django.views.decorators.http import require_POST
+from unidecode import unidecode
from catalogue import forms
from catalogue.forms import TagMultipleForm, TagSingleForm
logger = logging.getLogger("fnp.catalogue")
-@active_tab('all')
-@never_cache
-def document_list(request):
- return render(request, 'catalogue/document_list.html')
-
-
@never_cache
def user(request, username):
user = get_object_or_404(User, username=username)
path = settings.MEDIA_ROOT + uppath
if not os.path.isdir(path):
os.makedirs(path)
- dest_path = path + cover.name # UNSAFE
+ cover.name = unidecode(cover.name)
+ dest_path = path + cover.name
+ if not os.path.abspath(dest_path).startswith(os.path.abspath(path)):
+ raise Http404
with open(dest_path, 'w') as destination:
for chunk in cover.chunks():
destination.write(chunk)
@login_required
def book_schedule(request, pk):
book = get_object_or_404(Document, pk=pk, deleted=False)
+ if not book.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
if request.method == 'POST':
Plan.objects.filter(document=book).delete()
- for i, s in enumerate(STAGES):
+ for i, (s, name) in enumerate(STAGES):
user_id = request.POST.get('s%d-user' % i)
deadline = request.POST.get('s%d-deadline' % i) or None
Plan.objects.create(document=book, stage=s, user_id=user_id, deadline=deadline)
for p in Plan.objects.filter(document=book):
current[p.stage] = (getattr(p.user, 'pk', None), (p.deadline.isoformat() if p.deadline else None))
- schedule = [(i, s, current.get(s, ())) for (i, s) in enumerate(STAGES)]
+ schedule = [(i, s, current.get(s, ())) for i, (s, name) in enumerate(STAGES)]
if book.owner_organization:
people = [m.user for m in book.owner_organization.membership_set.exclude(status='pending')]
@login_required
def book_owner(request, pk):
doc = get_object_or_404(Document, pk=pk, deleted=False)
- user_is_owner = doc.owner_organization and doc.owner_organization.is_member(request.user)
- if not (doc.owner_user == request.user or user_is_owner):
- raise Http404
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
error = ''
@login_required
def book_delete(request, pk):
doc = get_object_or_404(Document, pk=pk, deleted=False)
- if not (doc.owner_user == request.user or doc.owner_organization.is_member(request.user)):
- raise Http404
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
if request.method == 'POST':
doc.deleted = True
from .models import PublishRecord
from dvcs.models import Revision
- # FIXME: check permissions
-
doc = get_object_or_404(Document, pk=pk, deleted=False)
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
form = forms.DocumentTextPublishForm(request.POST, prefix="textpublish")
if form.is_valid():
rev = Revision.objects.get(pk=form.cleaned_data['revision'])
@require_POST
@login_required
def unpublish(request, pk):
- # FIXME: check permissions
-
doc = get_object_or_404(Document, pk=pk, deleted=False)
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
+
doc.publish_log.all().delete()
if request.is_ajax():
return http.HttpResponse('ok')
fnp / redakcja.git / blobdiff