from django.conf import settings
from django.core.urlresolvers import reverse
from django import http
-from django.http import Http404
+from django.http import Http404, HttpResponseForbidden
from django.middleware.gzip import GZipMiddleware
from django.utils.decorators import decorator_from_middleware
from django.utils.encoding import smart_unicode
from django.utils.translation import ugettext as _
from django.views.decorators.http import require_POST, require_GET
from django.views.generic.simple import direct_to_template
+from django.shortcuts import get_object_or_404
from catalogue.models import Book, Chunk
import nice_diff
return http.HttpResponseRedirect(reverse("catalogue_create_missing", args=[slug]))
else:
raise Http404
+ if not chunk.book.accessible(request):
+ return HttpResponseForbidden("Not authorized.")
access_time = datetime.now()
last_books = request.session.get("wiki_last_books", {})
return direct_to_template(request, template_name, extra_context={
'chunk': chunk,
'forms': {
- "text_save": forms.DocumentTextSaveForm(prefix="textsave"),
+ "text_save": forms.DocumentTextSaveForm(user=request.user, prefix="textsave"),
"text_revert": forms.DocumentTextRevertForm(prefix="textrevert"),
"pubmark": forms.DocumentPubmarkForm(prefix="pubmark"),
},
revision = request.GET['revision']
except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist, KeyError):
raise Http404
+ if not chunk.book.accessible(request):
+ return HttpResponseForbidden("Not authorized.")
access_time = datetime.now()
last_books = request.session.get("wiki_last_books", {})
@never_cache
@decorator_from_middleware(GZipMiddleware)
-def text(request, slug, chunk=None):
- try:
- doc = Chunk.get(slug, chunk)
- except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
- raise Http404
+def text(request, chunk_id):
+ doc = get_object_or_404(Chunk, pk=chunk_id)
+ if not doc.book.accessible(request):
+ return HttpResponseForbidden("Not authorized.")
if request.method == 'POST':
- form = forms.DocumentTextSaveForm(request.POST, prefix="textsave")
+ form = forms.DocumentTextSaveForm(request.POST, user=request.user, prefix="textsave")
if form.is_valid():
if request.user.is_authenticated():
author = request.user
parent=parent,
description=form.cleaned_data['comment'],
tags=tags,
+ author_name=form.cleaned_data['author_name'],
+ author_email=form.cleaned_data['author_email'],
)
revision = doc.revision()
return JSONResponse({
@never_cache
@require_POST
-def revert(request, slug, chunk=None):
+def revert(request, chunk_id):
form = forms.DocumentTextRevertForm(request.POST, prefix="textrevert")
if form.is_valid():
- try:
- doc = Chunk.get(slug, chunk)
- except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
- raise Http404
+ doc = get_object_or_404(Chunk, pk=chunk_id)
+ if not doc.book.accessible(request):
+ return HttpResponseForbidden("Not authorized.")
revision = form.cleaned_data['revision']
author = None
before = doc.revision()
- logger.info("Reverting %s to %s", slug, revision)
+ logger.info("Reverting %s to %s", chunk_id, revision)
doc.at_revision(revision).revert(author=author, description=comment)
return JSONResponse({
images = [map_to_url(f) for f in map(smart_unicode, os.listdir(base_dir)) if is_image(f)]
images.sort()
+
+ if not request.user.is_authenticated():
+ return HttpResponseForbidden("Not authorized.")
+
return JSONResponse(images)
except (IndexError, OSError):
logger.exception("Unable to fetch gallery")
@never_cache
-def diff(request, slug, chunk=None):
+def diff(request, chunk_id):
revA = int(request.GET.get('from', 0))
revB = int(request.GET.get('to', 0))
if revB == 0:
revB = None
- try:
- doc = Chunk.get(slug, chunk)
- except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
- raise Http404
+ doc = get_object_or_404(Chunk, pk=chunk_id)
+ if not doc.book.accessible(request):
+ return HttpResponseForbidden("Not authorized.")
+
# allow diff from the beginning
if revA:
docA = doc.at_revision(revA).materialize()
@never_cache
-def revision(request, slug, chunk=None):
- try:
- doc = Chunk.get(slug, chunk)
- except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
- raise Http404
+def revision(request, chunk_id):
+ doc = get_object_or_404(Chunk, pk=chunk_id)
+ if not doc.book.accessible(request):
+ return HttpResponseForbidden("Not authorized.")
return http.HttpResponse(str(doc.revision()))
@never_cache
-def history(request, slug, chunk=None):
+def history(request, chunk_id):
# TODO: pagination
- try:
- doc = Chunk.get(slug, chunk)
- except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
- raise Http404
+ doc = get_object_or_404(Chunk, pk=chunk_id)
+ if not doc.book.accessible(request):
+ return HttpResponseForbidden("Not authorized.")
changes = []
- for change in doc.history().order_by('-created_at'):
+ for change in doc.history().reverse():
changes.append({
"version": change.revision,
"description": change.description,
@require_POST
@ajax_require_permission('catalogue.can_pubmark')
-def pubmark(request, slug, chunk=None):
+def pubmark(request, chunk_id):
form = forms.DocumentPubmarkForm(request.POST, prefix="pubmark")
if form.is_valid():
- try:
- doc = Chunk.get(slug, chunk)
- except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
- raise Http404
+ doc = get_object_or_404(Chunk, pk=chunk_id)
+ if not doc.book.accessible(request):
+ return HttpResponseForbidden("Not authorized.")
revision = form.cleaned_data['revision']
publishable = form.cleaned_data['publishable']