X-Git-Url: https://git.mdrn.pl/redakcja.git/blobdiff_plain/4ac9918f152cc49badd4a359bfed41e723161cdf..8d426d983babe3d2683ed62b6675073d21bd5d94:/apps/wiki/views.py diff --git a/apps/wiki/views.py b/apps/wiki/views.py index dc2ec6f1..d99bca61 100644 --- a/apps/wiki/views.py +++ b/apps/wiki/views.py @@ -5,13 +5,14 @@ import logging from django.conf import settings from django.core.urlresolvers import reverse from django import http -from django.http import Http404 +from django.http import Http404, HttpResponseForbidden from django.middleware.gzip import GZipMiddleware from django.utils.decorators import decorator_from_middleware from django.utils.encoding import smart_unicode from django.utils.translation import ugettext as _ from django.views.decorators.http import require_POST, require_GET from django.views.generic.simple import direct_to_template +from django.shortcuts import get_object_or_404 from catalogue.models import Book, Chunk import nice_diff @@ -45,6 +46,8 @@ def editor(request, slug, chunk=None, template_name='wiki/document_details.html' return http.HttpResponseRedirect(reverse("catalogue_create_missing", args=[slug])) else: raise Http404 + if not chunk.book.accessible(request): + return HttpResponseForbidden("Not authorized.") access_time = datetime.now() last_books = request.session.get("wiki_last_books", {}) @@ -61,7 +64,7 @@ def editor(request, slug, chunk=None, template_name='wiki/document_details.html' return direct_to_template(request, template_name, extra_context={ 'chunk': chunk, 'forms': { - "text_save": forms.DocumentTextSaveForm(prefix="textsave"), + "text_save": forms.DocumentTextSaveForm(user=request.user, prefix="textsave"), "text_revert": forms.DocumentTextRevertForm(prefix="textrevert"), "pubmark": forms.DocumentPubmarkForm(prefix="pubmark"), }, @@ -76,6 +79,8 @@ def editor_readonly(request, slug, chunk=None, template_name='wiki/document_deta revision = request.GET['revision'] except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist, KeyError): raise Http404 + if not chunk.book.accessible(request): + return HttpResponseForbidden("Not authorized.") access_time = datetime.now() last_books = request.session.get("wiki_last_books", {}) @@ -99,14 +104,13 @@ def editor_readonly(request, slug, chunk=None, template_name='wiki/document_deta @never_cache @decorator_from_middleware(GZipMiddleware) -def text(request, slug, chunk=None): - try: - doc = Chunk.get(slug, chunk) - except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist): - raise Http404 +def text(request, chunk_id): + doc = get_object_or_404(Chunk, pk=chunk_id) + if not doc.book.accessible(request): + return HttpResponseForbidden("Not authorized.") if request.method == 'POST': - form = forms.DocumentTextSaveForm(request.POST, prefix="textsave") + form = forms.DocumentTextSaveForm(request.POST, user=request.user, prefix="textsave") if form.is_valid(): if request.user.is_authenticated(): author = request.user @@ -125,6 +129,8 @@ def text(request, slug, chunk=None): parent=parent, description=form.cleaned_data['comment'], tags=tags, + author_name=form.cleaned_data['author_name'], + author_email=form.cleaned_data['author_email'], ) revision = doc.revision() return JSONResponse({ @@ -156,13 +162,12 @@ def text(request, slug, chunk=None): @never_cache @require_POST -def revert(request, slug, chunk=None): +def revert(request, chunk_id): form = forms.DocumentTextRevertForm(request.POST, prefix="textrevert") if form.is_valid(): - try: - doc = Chunk.get(slug, chunk) - except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist): - raise Http404 + doc = get_object_or_404(Chunk, pk=chunk_id) + if not doc.book.accessible(request): + return HttpResponseForbidden("Not authorized.") revision = form.cleaned_data['revision'] @@ -175,7 +180,7 @@ def revert(request, slug, chunk=None): author = None before = doc.revision() - logger.info("Reverting %s to %s", slug, revision) + logger.info("Reverting %s to %s", chunk_id, revision) doc.at_revision(revision).revert(author=author, description=comment) return JSONResponse({ @@ -208,6 +213,10 @@ def gallery(request, directory): images = [map_to_url(f) for f in map(smart_unicode, os.listdir(base_dir)) if is_image(f)] images.sort() + + if not request.user.is_authenticated(): + return HttpResponseForbidden("Not authorized.") + return JSONResponse(images) except (IndexError, OSError): logger.exception("Unable to fetch gallery") @@ -215,7 +224,7 @@ def gallery(request, directory): @never_cache -def diff(request, slug, chunk=None): +def diff(request, chunk_id): revA = int(request.GET.get('from', 0)) revB = int(request.GET.get('to', 0)) @@ -225,10 +234,10 @@ def diff(request, slug, chunk=None): if revB == 0: revB = None - try: - doc = Chunk.get(slug, chunk) - except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist): - raise Http404 + doc = get_object_or_404(Chunk, pk=chunk_id) + if not doc.book.accessible(request): + return HttpResponseForbidden("Not authorized.") + # allow diff from the beginning if revA: docA = doc.at_revision(revA).materialize() @@ -241,24 +250,22 @@ def diff(request, slug, chunk=None): @never_cache -def revision(request, slug, chunk=None): - try: - doc = Chunk.get(slug, chunk) - except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist): - raise Http404 +def revision(request, chunk_id): + doc = get_object_or_404(Chunk, pk=chunk_id) + if not doc.book.accessible(request): + return HttpResponseForbidden("Not authorized.") return http.HttpResponse(str(doc.revision())) @never_cache -def history(request, slug, chunk=None): +def history(request, chunk_id): # TODO: pagination - try: - doc = Chunk.get(slug, chunk) - except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist): - raise Http404 + doc = get_object_or_404(Chunk, pk=chunk_id) + if not doc.book.accessible(request): + return HttpResponseForbidden("Not authorized.") changes = [] - for change in doc.history().order_by('-created_at'): + for change in doc.history().reverse(): changes.append({ "version": change.revision, "description": change.description, @@ -272,13 +279,12 @@ def history(request, slug, chunk=None): @require_POST @ajax_require_permission('catalogue.can_pubmark') -def pubmark(request, slug, chunk=None): +def pubmark(request, chunk_id): form = forms.DocumentPubmarkForm(request.POST, prefix="pubmark") if form.is_valid(): - try: - doc = Chunk.get(slug, chunk) - except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist): - raise Http404 + doc = get_object_or_404(Chunk, pk=chunk_id) + if not doc.book.accessible(request): + return HttpResponseForbidden("Not authorized.") revision = form.cleaned_data['revision'] publishable = form.cleaned_data['publishable']