#880: hide copyrighted stuff,
[redakcja.git] / apps / wiki / views.py
index adffcb7..4d9fac9 100644 (file)
@@ -5,13 +5,14 @@ import logging
 from django.conf import settings
 from django.core.urlresolvers import reverse
 from django import http
-from django.http import Http404
+from django.http import Http404, HttpResponseForbidden
 from django.middleware.gzip import GZipMiddleware
 from django.utils.decorators import decorator_from_middleware
 from django.utils.encoding import smart_unicode
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import ugettext as _
 from django.views.decorators.http import require_POST, require_GET
 from django.views.generic.simple import direct_to_template
+from django.shortcuts import get_object_or_404
 
 from catalogue.models import Book, Chunk
 import nice_diff
@@ -45,6 +46,8 @@ def editor(request, slug, chunk=None, template_name='wiki/document_details.html'
                 return http.HttpResponseRedirect(reverse("catalogue_create_missing", args=[slug]))
         else:
             raise Http404
+    if not chunk.book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
 
     access_time = datetime.now()
     last_books = request.session.get("wiki_last_books", {})
@@ -61,7 +64,7 @@ def editor(request, slug, chunk=None, template_name='wiki/document_details.html'
     return direct_to_template(request, template_name, extra_context={
         'chunk': chunk,
         'forms': {
-            "text_save": forms.DocumentTextSaveForm(prefix="textsave"),
+            "text_save": forms.DocumentTextSaveForm(user=request.user, prefix="textsave"),
             "text_revert": forms.DocumentTextRevertForm(prefix="textrevert"),
             "pubmark": forms.DocumentPubmarkForm(prefix="pubmark"),
         },
@@ -76,6 +79,8 @@ def editor_readonly(request, slug, chunk=None, template_name='wiki/document_deta
         revision = request.GET['revision']
     except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist, KeyError):
         raise Http404
+    if not chunk.book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
 
     access_time = datetime.now()
     last_books = request.session.get("wiki_last_books", {})
@@ -99,14 +104,13 @@ def editor_readonly(request, slug, chunk=None, template_name='wiki/document_deta
 
 @never_cache
 @decorator_from_middleware(GZipMiddleware)
-def text(request, slug, chunk=None):
-    try:
-        doc = Chunk.get(slug, chunk)
-    except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
-        raise Http404
+def text(request, chunk_id):
+    doc = get_object_or_404(Chunk, pk=chunk_id)
+    if not doc.book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
 
     if request.method == 'POST':
-        form = forms.DocumentTextSaveForm(request.POST, prefix="textsave")
+        form = forms.DocumentTextSaveForm(request.POST, user=request.user, prefix="textsave")
         if form.is_valid():
             if request.user.is_authenticated():
                 author = request.user
@@ -125,6 +129,8 @@ def text(request, slug, chunk=None):
                        parent=parent,
                        description=form.cleaned_data['comment'],
                        tags=tags,
+                       author_name=form.cleaned_data['author_name'],
+                       author_email=form.cleaned_data['author_email'],
                        )
             revision = doc.revision()
             return JSONResponse({
@@ -156,13 +162,12 @@ def text(request, slug, chunk=None):
 
 @never_cache
 @require_POST
-def revert(request, slug, chunk=None):
+def revert(request, chunk_id):
     form = forms.DocumentTextRevertForm(request.POST, prefix="textrevert")
     if form.is_valid():
-        try:
-            doc = Chunk.get(slug, chunk)
-        except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
-            raise Http404
+        doc = get_object_or_404(Chunk, pk=chunk_id)
+        if not doc.book.accessible(request):
+            return HttpResponseForbidden("Not authorized.")
 
         revision = form.cleaned_data['revision']
 
@@ -175,7 +180,7 @@ def revert(request, slug, chunk=None):
             author = None
 
         before = doc.revision()
-        logger.info("Reverting %s to %s", slug, revision)
+        logger.info("Reverting %s to %s", chunk_id, revision)
         doc.at_revision(revision).revert(author=author, description=comment)
 
         return JSONResponse({
@@ -208,6 +213,10 @@ def gallery(request, directory):
 
         images = [map_to_url(f) for f in map(smart_unicode, os.listdir(base_dir)) if is_image(f)]
         images.sort()
+
+        if not request.user.is_authenticated():
+            return HttpResponseForbidden("Not authorized.")
+
         return JSONResponse(images)
     except (IndexError, OSError):
         logger.exception("Unable to fetch gallery")
@@ -215,7 +224,7 @@ def gallery(request, directory):
 
 
 @never_cache
-def diff(request, slug, chunk=None):
+def diff(request, chunk_id):
     revA = int(request.GET.get('from', 0))
     revB = int(request.GET.get('to', 0))
 
@@ -225,11 +234,15 @@ def diff(request, slug, chunk=None):
     if revB == 0:
         revB = None
 
-    try:
-        doc = Chunk.get(slug, chunk)
-    except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
-        raise Http404
-    docA = doc.at_revision(revA).materialize()
+    doc = get_object_or_404(Chunk, pk=chunk_id)
+    if not doc.book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
+
+    # allow diff from the beginning
+    if revA:
+        docA = doc.at_revision(revA).materialize()
+    else:
+        docA = ""
     docB = doc.at_revision(revB).materialize()
 
     return http.HttpResponse(nice_diff.html_diff_table(docA.splitlines(),
@@ -237,21 +250,19 @@ def diff(request, slug, chunk=None):
 
 
 @never_cache
-def revision(request, slug, chunk=None):
-    try:
-        doc = Chunk.get(slug, chunk)
-    except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
-        raise Http404
+def revision(request, chunk_id):
+    doc = get_object_or_404(Chunk, pk=chunk_id)
+    if not doc.book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
     return http.HttpResponse(str(doc.revision()))
 
 
 @never_cache
-def history(request, slug, chunk=None):
+def history(request, chunk_id):
     # TODO: pagination
-    try:
-        doc = Chunk.get(slug, chunk)
-    except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
-        raise Http404
+    doc = get_object_or_404(Chunk, pk=chunk_id)
+    if not doc.book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
 
     changes = []
     for change in doc.history().order_by('-created_at'):
@@ -260,28 +271,26 @@ def history(request, slug, chunk=None):
                 "description": change.description,
                 "author": change.author_str(),
                 "date": change.created_at,
-                "publishable": "Publishable\n" if change.publishable else "",
+                "publishable": _("Publishable") + "\n" if change.publishable else "",
                 "tag": ',\n'.join(unicode(tag) for tag in change.tags.all()),
             })
     return JSONResponse(changes)
 
 
 @require_POST
-@ajax_require_permission('wiki.can_pubmark')
-def pubmark(request, slug, chunk=None):
+@ajax_require_permission('catalogue.can_pubmark')
+def pubmark(request, chunk_id):
     form = forms.DocumentPubmarkForm(request.POST, prefix="pubmark")
     if form.is_valid():
-        try:
-            doc = Chunk.get(slug, chunk)
-        except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
-            raise Http404
+        doc = get_object_or_404(Chunk, pk=chunk_id)
+        if not doc.book.accessible(request):
+            return HttpResponseForbidden("Not authorized.")
 
         revision = form.cleaned_data['revision']
         publishable = form.cleaned_data['publishable']
         change = doc.at_revision(revision)
         if publishable != change.publishable:
-            change.publishable = publishable
-            change.save()
+            change.set_publishable(publishable)
             return JSONResponse({"message": _("Revision marked")})
         else:
             return JSONResponse({"message": _("Nothing changed")})