fix for no organization owner
[redakcja.git] / apps / catalogue / views.py
index bde9dc0..4204e77 100644 (file)
@@ -8,22 +8,34 @@ import os
 import shutil
 import subprocess
 from tempfile import NamedTemporaryFile
+from xml.sax.saxutils import escape as escape_xml
 
 from django.conf import settings
 from django.contrib import auth
 from django.contrib.auth.models import User
 from django.contrib.auth.decorators import login_required
+from django.contrib.sites.models import Site
 from django.core.urlresolvers import reverse
 from django import http
-from django.http import Http404, HttpResponse
+from django.http import Http404, HttpResponse, HttpResponseForbidden
 from django.shortcuts import get_object_or_404, render, redirect
 from django.utils.encoding import force_str
 from django.utils.http import urlquote_plus
 from django.views.decorators.http import require_POST
+from unidecode import unidecode
 
 from catalogue import forms
+from catalogue.filters import DocumentFilterSet
+from catalogue.forms import TagMultipleForm, TagSingleForm
 from catalogue.helpers import active_tab
+from catalogue.models import Category
 from librarian import BuildError
+from librarian.utils import Context
+from librarian.document import Document as SST
+from librarian.formats.html import HtmlFormat
+from librarian.formats.pdf import PdfFormat
+from librarian.formats.epub import EpubFormat
+from redakcja.utlis import send_notify_email
 from .constants import STAGES
 from .models import Document, Plan
 from dvcs.models import Revision
@@ -39,12 +51,6 @@ from django.views.decorators.cache import never_cache
 logger = logging.getLogger("fnp.catalogue")
 
 
-@active_tab('all')
-@never_cache
-def document_list(request):
-    return render(request, 'catalogue/document_list.html')
-
-
 @never_cache
 def user(request, username):
     user = get_object_or_404(User, username=username)
@@ -74,7 +80,11 @@ def logout_then_redirect(request):
 def create_missing(request):
     if request.method == "POST":
         form = forms.DocumentCreateForm(request.POST, request.FILES)
-        if form.is_valid():
+        tag_forms = [
+            (TagMultipleForm if category.multiple else TagSingleForm)(
+                category=category, data=request.POST, prefix=category.dc_tag)
+            for category in Category.objects.all()]
+        if form.is_valid() and all(tag_form.is_valid() for tag_form in tag_forms):
             
             if request.user.is_authenticated():
                 creator = request.user
@@ -91,13 +101,19 @@ def create_missing(request):
 
             doc = Document.objects.create(**kwargs)
 
+            for tag_form in tag_forms:
+                tag_form.save(instance=doc)
+
             cover = request.FILES.get('cover')
             if cover:
                 uppath = 'uploads/%d/' % doc.pk
                 path = settings.MEDIA_ROOT + uppath
                 if not os.path.isdir(path):
                     os.makedirs(path)
-                dest_path = path + cover.name   # UNSAFE
+                cover.name = unidecode(cover.name)
+                dest_path = path + cover.name
+                if not os.path.abspath(dest_path).startswith(os.path.abspath(path)):
+                    raise Http404
                 with open(dest_path, 'w') as destination:
                     for chunk in cover.chunks():
                         destination.write(chunk)
@@ -105,19 +121,24 @@ def create_missing(request):
             else:
                 cover_url = ''
 
-            doc.commit(
-                text='''<section xmlns="http://nowoczesnapolska.org.pl/sst#" xmlns:dc="http://purl.org/dc/elements/1.1/">
+            text = '''<section xmlns="http://nowoczesnapolska.org.pl/sst#" xmlns:dc="http://purl.org/dc/elements/1.1/">
                 <metadata>
-                    <dc:publisher>''' + form.cleaned_data['publisher'] + '''</dc:publisher>
-                    <dc:description>''' + form.cleaned_data['description'] + '''</dc:description>
-                    <dc:language>''' + form.cleaned_data['language'] + '''</dc:language>
-                    <dc:rights>''' + form.cleaned_data['rights'] + '''</dc:rights>
-                    <dc:audience>''' + form.cleaned_data['audience'] + '''</dc:audience>
-                    <dc:relation.coverImage.url>''' + cover_url + '''</dc:relation.coverImage.url>
+                    <dc:publisher>%s</dc:publisher>
+                    <dc:description>%s</dc:description>
+                    %s
+                    <dc:relation.coverImage.url>%s</dc:relation.coverImage.url>
                 </metadata>
-                <header>''' + title + '''</header>
+                <header>%s</header>
                 <div class="p"> </div>
-                </section>''',
+                </section>''' % (
+                    escape_xml(form.cleaned_data['publisher']),
+                    escape_xml(form.cleaned_data['description']),
+                    '\n'.join(tag_form.metadata_rows() for tag_form in tag_forms),
+                    escape_xml(cover_url),
+                    escape_xml(title))
+
+            doc.commit(
+                text=text,
                 author=creator
             )
             doc.assigned_to = request.user
@@ -141,8 +162,14 @@ def create_missing(request):
 
         form = forms.DocumentCreateForm(initial={'owner_organization': org})
 
+        tag_forms = [
+            (TagMultipleForm if category.multiple else TagSingleForm)(
+                category=category, tutorial_no=i, prefix=category.dc_tag)
+            for i, category in enumerate(Category.objects.all(), start=2)]
+
     return render(request, "catalogue/document_create_missing.html", {
         "form": form,
+        "tag_forms": tag_forms,
 
         "logout_to": '/',
     })
@@ -150,9 +177,6 @@ def create_missing(request):
 
 @never_cache
 def book_html(request, pk, rev_pk=None, preview=False):
-    from librarian.document import Document as SST
-    from librarian.formats.html import HtmlFormat
-
     doc = get_object_or_404(Document, pk=pk, deleted=False)
 
     try:
@@ -206,10 +230,6 @@ def book_html(request, pk, rev_pk=None, preview=False):
 
 @never_cache
 def book_pdf(request, pk, rev_pk):
-    from librarian.utils import Context
-    from librarian.document import Document as SST
-    from librarian.formats.pdf import PdfFormat
-
     doc = get_object_or_404(Document, pk=pk)
     rev = get_object_or_404(Revision, pk=rev_pk)
     # Test
@@ -222,6 +242,7 @@ def book_pdf(request, pk, rev_pk):
     ctx = Context(
         files_path='http://%s/media/dynamic/uploads/%s/' % (request.get_host(), pk),
         source_url='http://%s%s' % (request.get_host(), reverse('catalogue_html', args=[doc.pk])),
+        organization=doc.owner_organization.name if doc.owner_organization else doc.owner_user.get_full_name(),
     )
     if doc.owner_organization is not None and doc.owner_organization.logo:
         ctx.cover_logo = 'http://%s%s' % (request.get_host(), doc.owner_organization.logo.url)
@@ -236,10 +257,6 @@ def book_pdf(request, pk, rev_pk):
 
 @never_cache
 def book_epub(request, pk, rev_pk):
-    from librarian.utils import Context
-    from librarian.document import Document as SST
-    from librarian.formats.epub import EpubFormat
-
     doc = get_object_or_404(Document, pk=pk)
     rev = get_object_or_404(Revision, pk=rev_pk)
     # Test
@@ -266,10 +283,6 @@ def book_epub(request, pk, rev_pk):
 
 @never_cache
 def book_mobi(request, pk, rev_pk):
-    from librarian.utils import Context
-    from librarian.document import Document as SST
-    from librarian.formats.epub import EpubFormat
-
     doc = get_object_or_404(Document, pk=pk)
     rev = get_object_or_404(Revision, pk=rev_pk)
 
@@ -312,9 +325,11 @@ def book_mobi(request, pk, rev_pk):
 @login_required
 def book_schedule(request, pk):
     book = get_object_or_404(Document, pk=pk, deleted=False)
+    if not book.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
     if request.method == 'POST':
         Plan.objects.filter(document=book).delete()
-        for i, s in enumerate(STAGES):
+        for i, (s, name) in enumerate(STAGES):
             user_id = request.POST.get('s%d-user' % i)
             deadline = request.POST.get('s%d-deadline' % i) or None
             Plan.objects.create(document=book, stage=s, user_id=user_id, deadline=deadline)
@@ -326,7 +341,7 @@ def book_schedule(request, pk):
     for p in Plan.objects.filter(document=book):
         current[p.stage] = (getattr(p.user, 'pk', None), (p.deadline.isoformat() if p.deadline else None))
 
-    schedule = [(i, s, current.get(s, ())) for (i, s) in enumerate(STAGES)]
+    schedule = [(i, s, current.get(s, ())) for i, (s, name) in enumerate(STAGES)]
     
     if book.owner_organization:
         people = [m.user for m in book.owner_organization.membership_set.exclude(status='pending')]
@@ -342,9 +357,8 @@ def book_schedule(request, pk):
 @login_required
 def book_owner(request, pk):
     doc = get_object_or_404(Document, pk=pk, deleted=False)
-    user_is_owner = doc.owner_organization and doc.owner_organization.is_member(request.user)
-    if not (doc.owner_user == request.user or user_is_owner):
-        raise Http404
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
 
     error = ''
 
@@ -375,8 +389,8 @@ def book_owner(request, pk):
 @login_required
 def book_delete(request, pk):
     doc = get_object_or_404(Document, pk=pk, deleted=False)
-    if not (doc.owner_user == request.user or doc.owner_organization.is_member(request.user)):
-        raise Http404
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
 
     if request.method == 'POST':
         doc.deleted = True
@@ -395,16 +409,26 @@ def publish(request, pk):
     from .models import PublishRecord
     from dvcs.models import Revision
 
-    # FIXME: check permissions
-
     doc = get_object_or_404(Document, pk=pk, deleted=False)
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
     form = forms.DocumentTextPublishForm(request.POST, prefix="textpublish")
     if form.is_valid():
         rev = Revision.objects.get(pk=form.cleaned_data['revision'])
         # FIXME: check if in tree
         # if PublishRecord.objects.filter(revision=rev, document=doc).exists():
         #     return http.HttpResponse('exists')
+        if not doc.published:
+            site = Site.objects.get_current()
+            send_notify_email(
+                'New published document in MIL/PEER',
+                '''New published document in MIL/PEER: %s. View it in browser: https://%s%s.
+
+--
+MIL/PEER team.''' % (doc.meta()['title'], site.domain, reverse('catalogue_html', args=[doc.pk])))
         PublishRecord.objects.create(revision=rev, document=doc, user=request.user)
+        doc.published = True
+        doc.save()
         if request.is_ajax():
             return http.HttpResponse('ok')
         else:
@@ -422,9 +446,10 @@ def publish(request, pk):
 @require_POST
 @login_required
 def unpublish(request, pk):
-    # FIXME: check permissions
-
     doc = get_object_or_404(Document, pk=pk, deleted=False)
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
+
     doc.publish_log.all().delete()
     if request.is_ajax():
         return http.HttpResponse('ok')
@@ -485,12 +510,16 @@ def fork(request, pk):
 
 
 def upcoming(request):
+    f = DocumentFilterSet(request.GET, queryset=Document.objects.filter(deleted=False).filter(publish_log=None))
     return render(request, "catalogue/upcoming.html", {
-        'objects_list': Document.objects.filter(deleted=False).filter(publish_log=None),
+        'filter_set': f,
+        'link_url': 'catalogue_preview',
     })
 
 
 def finished(request):
+    f = DocumentFilterSet(request.GET, queryset=Document.objects.filter(deleted=False).exclude(publish_log=None))
     return render(request, "catalogue/finished.html", {
-        'objects_list': Document.objects.filter(deleted=False).exclude(publish_log=None),
+        'filter_set': f,
+        'link_url': 'catalogue_html',
     })