from django.utils.decorators import decorator_from_middleware
from django.utils.encoding import smart_unicode
from django.utils.formats import localize
+from django.utils.html import escape
from django.utils.translation import ugettext as _
from django.views.decorators.http import require_POST
from django.shortcuts import get_object_or_404, render
revisions.append({
"version": i + 1,
"description": revision.description,
- "author": revision.author_str(),
+ "author": escape(revision.author_str()),
"date": localize(revision.created_at),
"revision": revision.pk,
"published": _("Published") + ": " +
@never_cache
def editor(request, pk, template_name='wiki/bootstrap.html'):
doc = get_object_or_404(Document, pk=pk, deleted=False)
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
save_form = forms.DocumentTextSaveForm(user=request.user, prefix="textsave")
text = doc.materialize()
'version': len(history),
'revision': revision.pk,
'stage': doc.stage,
- 'assignment': str(doc.assigned_to),
+ 'stage_name': doc.stage_name(),
+ 'assignment': doc.assigned_to.username if doc.assigned_to else None,
}),
'serialized_templates': json.dumps([
{'id': t.id, 'name': t.name, 'content': t.content} for t in Template.objects.filter(is_partial=True)
@decorator_from_middleware(GZipMiddleware)
def text(request, doc_id):
doc = get_object_or_404(Document, pk=doc_id, deleted=False)
- # if not doc.book.accessible(request):
- # return HttpResponseForbidden("Not authorized.")
if request.method == 'POST':
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
form = forms.DocumentTextSaveForm(request.POST, user=request.user, prefix="textsave")
if form.is_valid():
if request.user.is_authenticated():
from traceback import print_exc
print_exc()
raise
- # revision = doc.revision()
return JSONResponse({
'text': None, # doc.materialize() if parent_revision != revision else None,
- # 'version': revision,
- # 'stage': doc.stage.name if doc.stage else None,
+ 'version': len(get_history(doc)),
+ 'stage': doc.stage,
+ 'stage_name': doc.stage_name(),
'assignment': doc.assigned_to.username if doc.assigned_to else None
})
else:
form = forms.DocumentTextRevertForm(request.POST, prefix="textrevert")
if form.is_valid():
doc = get_object_or_404(Document, pk=doc_id, deleted=False)
+ if not doc.can_edit(request.user):
+ return HttpResponseForbidden("Not authorized.")
rev = get_object_or_404(Revision, pk=form.cleaned_data['revision'])
comment = form.cleaned_data['comment']
)
return JSONResponse({
- # 'document': None, #doc.materialize() if before != doc.revision else None,
- # 'version': doc.revision(),
+ 'document': doc.materialize(),
+ 'version': len(get_history(doc)),
+ 'stage': doc.stage,
+ 'stage_name': doc.stage_name(),
+ 'assignment': doc.assigned_to.username if doc.assigned_to else None,
})
else:
return JSONFormInvalid(form)