administrative cleanup
[redakcja.git] / apps / wiki / views.py
index 1b16077..6a5f2ac 100644 (file)
@@ -15,6 +15,7 @@ from django.middleware.gzip import GZipMiddleware
 from django.utils.decorators import decorator_from_middleware
 from django.utils.encoding import smart_unicode
 from django.utils.formats import localize
+from django.utils.html import escape
 from django.utils.translation import ugettext as _
 from django.views.decorators.http import require_POST
 from django.shortcuts import get_object_or_404, render
@@ -41,7 +42,7 @@ def get_history(document):
         revisions.append({
             "version": i + 1,
             "description": revision.description,
-            "author": revision.author_str(),
+            "author": escape(revision.author_str()),
             "date": localize(revision.created_at),
             "revision": revision.pk,
             "published": _("Published") + ": " +
@@ -54,6 +55,8 @@ def get_history(document):
 @never_cache
 def editor(request, pk, template_name='wiki/bootstrap.html'):
     doc = get_object_or_404(Document, pk=pk, deleted=False)
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
 
     save_form = forms.DocumentTextSaveForm(user=request.user, prefix="textsave")
     text = doc.materialize()
@@ -68,7 +71,8 @@ def editor(request, pk, template_name='wiki/bootstrap.html'):
             'version': len(history),
             'revision': revision.pk,
             'stage': doc.stage,
-            'assignment': str(doc.assigned_to),
+            'stage_name': doc.stage_name(),
+            'assignment': doc.assigned_to.username if doc.assigned_to else None,
         }),
         'serialized_templates': json.dumps([
             {'id': t.id, 'name': t.name, 'content': t.content} for t in Template.objects.filter(is_partial=True)
@@ -86,10 +90,10 @@ def editor(request, pk, template_name='wiki/bootstrap.html'):
 @decorator_from_middleware(GZipMiddleware)
 def text(request, doc_id):
     doc = get_object_or_404(Document, pk=doc_id, deleted=False)
-    # if not doc.book.accessible(request):
-    #     return HttpResponseForbidden("Not authorized.")
 
     if request.method == 'POST':
+        if not doc.can_edit(request.user):
+            return HttpResponseForbidden("Not authorized.")
         form = forms.DocumentTextSaveForm(request.POST, user=request.user, prefix="textsave")
         if form.is_valid():
             if request.user.is_authenticated():
@@ -119,11 +123,11 @@ def text(request, doc_id):
                 from traceback import print_exc
                 print_exc()
                 raise
-            # revision = doc.revision()
             return JSONResponse({
                 'text': None,  # doc.materialize() if parent_revision != revision else None,
-                # 'version': revision,
-                # 'stage': doc.stage.name if doc.stage else None,
+                'version': len(get_history(doc)),
+                'stage': doc.stage,
+                'stage_name': doc.stage_name(),
                 'assignment': doc.assigned_to.username if doc.assigned_to else None
             })
         else:
@@ -154,6 +158,8 @@ def revert(request, doc_id):
     form = forms.DocumentTextRevertForm(request.POST, prefix="textrevert")
     if form.is_valid():
         doc = get_object_or_404(Document, pk=doc_id, deleted=False)
+        if not doc.can_edit(request.user):
+            return HttpResponseForbidden("Not authorized.")
         rev = get_object_or_404(Revision, pk=form.cleaned_data['revision'])
 
         comment = form.cleaned_data['comment']
@@ -176,8 +182,11 @@ def revert(request, doc_id):
         )
 
         return JSONResponse({
-            # 'document': None, #doc.materialize() if before != doc.revision else None,
-            # 'version': doc.revision(),
+            'document': doc.materialize(),
+            'version': len(get_history(doc)),
+            'stage': doc.stage,
+            'stage_name': doc.stage_name(),
+            'assignment': doc.assigned_to.username if doc.assigned_to else None,
         })
     else:
         return JSONFormInvalid(form)