X-Git-Url: https://git.mdrn.pl/redakcja.git/blobdiff_plain/c3bcc0703d6255b78c2a6813bbea03e9581609e0..4395564bb09e6b7d74cae3421f6342dd546b5619:/apps/catalogue/views.py

diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py
index fad8a692..3459fdaf 100644
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -11,7 +11,7 @@ from django.contrib.auth.decorators import login_required, permission_required
 from django.core.urlresolvers import reverse
 from django.db.models import Count, Q
 from django import http
-from django.http import Http404
+from django.http import Http404, HttpResponseForbidden
 from django.shortcuts import get_object_or_404, render
 from django.utils.encoding import iri_to_uri
 from django.utils.http import urlquote_plus
@@ -27,7 +27,7 @@ from catalogue import forms
 from catalogue import helpers
 from catalogue.helpers import active_tab
 from catalogue.models import Book, Chunk, BookPublishRecord, ChunkPublishRecord
-from catalogue import xml_tools
+from catalogue.tasks import publishable_error
 
 #
 # Quick hack around caching problems, TODO: use ETags
@@ -56,6 +56,8 @@ def my(request):
     return render(request, 'catalogue/my_page.html', {
         'last_books': sorted(request.session.get("wiki_last_books", {}).items(),
                         key=lambda x: x[1]['time'], reverse=True),
+
+        "logout_to": '/',
         })
 
 
@@ -98,18 +100,22 @@ def create_missing(request, slug=None):
                 creator=creator,
                 slug=form.cleaned_data['slug'],
                 title=form.cleaned_data['title'],
+                gallery=form.cleaned_data['gallery'],
             )
 
-            return http.HttpResponseRedirect(reverse("wiki_editor", args=[book.slug]))
+            return http.HttpResponseRedirect(reverse("catalogue_book", args=[book.slug]))
     else:
         form = forms.DocumentCreateForm(initial={
                 "slug": slug,
                 "title": slug.replace('-', ' ').title(),
+                "gallery": slug,
         })
 
     return direct_to_template(request, "catalogue/document_create_missing.html", extra_context={
         "slug": slug,
         "form": form,
+
+        "logout_to": '/',
     })
 
 
@@ -165,18 +171,25 @@ def upload(request):
                 "ok_list": ok_list,
                 "skipped_list": skipped_list,
                 "error_list": error_list,
+
+                "logout_to": '/',
             })
     else:
         form = forms.DocumentsUploadForm()
 
     return direct_to_template(request, "catalogue/document_upload.html", extra_context={
         "form": form,
+
+        "logout_to": '/',
     })
 
 
 @never_cache
 def book_xml(request, slug):
-    xml = get_object_or_404(Book, slug=slug).materialize()
+    book = get_object_or_404(Book, slug=slug)
+    if not book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
+    xml = book.materialize()
 
     response = http.HttpResponse(xml, content_type='application/xml', mimetype='application/wl+xml')
     response['Content-Disposition'] = 'attachment; filename=%s.xml' % slug
@@ -185,7 +198,10 @@ def book_xml(request, slug):
 
 @never_cache
 def book_txt(request, slug):
-    xml = get_object_or_404(Book, slug=slug).materialize()
+    book = get_object_or_404(Book, slug=slug)
+    if not book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
+    xml = book.materialize()
     output = StringIO()
     # errors?
     librarian.text.transform(StringIO(xml), output)
@@ -197,7 +213,10 @@ def book_txt(request, slug):
 
 @never_cache
 def book_html(request, slug):
-    xml = get_object_or_404(Book, slug=slug).materialize()
+    book = get_object_or_404(Book, slug=slug)
+    if not book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
+    xml = book.materialize()
     output = StringIO()
     # errors?
     librarian.html.transform(StringIO(xml), output, parse_dublincore=False,
@@ -206,18 +225,21 @@ def book_html(request, slug):
     response = http.HttpResponse(html, content_type='text/html', mimetype='text/html')
     return response
 
-
 @never_cache
 def revision(request, slug, chunk=None):
     try:
         doc = Chunk.get(slug, chunk)
     except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
         raise Http404
+    if not doc.book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
     return http.HttpResponse(str(doc.revision()))
 
 
 def book(request, slug):
     book = get_object_or_404(Book, slug=slug)
+    if not book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
 
     if request.user.has_perm('catalogue.change_book'):
         if request.method == "POST":
@@ -232,20 +254,13 @@ def book(request, slug):
         form = forms.ReadonlyBookForm(instance=book)
         editable = False
 
-
-    try:
-        book.assert_publishable()
-    except AssertionError, e:
-        publishable = False
-        publishable_error = e
-    else:
-        publishable = True
-        publishable_error = None
+    publish_error = publishable_error(book)
+    publishable = publish_error is None
 
     return direct_to_template(request, "catalogue/book_detail.html", extra_context={
         "book": book,
         "publishable": publishable,
-        "publishable_error": publishable_error,
+        "publishable_error": publish_error,
         "form": form,
         "editable": editable,
     })
@@ -257,6 +272,8 @@ def chunk_add(request, slug, chunk):
         doc = Chunk.get(slug, chunk)
     except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
         raise Http404
+    if not doc.book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
 
     if request.method == "POST":
         form = forms.ChunkAddForm(request.POST, instance=doc)
@@ -288,6 +305,9 @@ def chunk_edit(request, slug, chunk):
         doc = Chunk.get(slug, chunk)
     except (Chunk.MultipleObjectsReturned, Chunk.DoesNotExist):
         raise Http404
+    if not doc.book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
+
     if request.method == "POST":
         form = forms.ChunkForm(request.POST, instance=doc)
         if form.is_valid():
@@ -315,6 +335,9 @@ def chunk_edit(request, slug, chunk):
 @permission_required('catalogue.change_book')
 def book_append(request, slug):
     book = get_object_or_404(Book, slug=slug)
+    if not book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
+
     if request.method == "POST":
         form = forms.BookAppendForm(book, request.POST)
         if form.is_valid():
@@ -326,6 +349,8 @@ def book_append(request, slug):
     return direct_to_template(request, "catalogue/book_append_to.html", extra_context={
         "book": book,
         "form": form,
+
+        "logout_to": '/',
     })
 
 
@@ -333,6 +358,9 @@ def book_append(request, slug):
 @login_required
 def publish(request, slug):
     book = get_object_or_404(Book, slug=slug)
+    if not book.accessible(request):
+        return HttpResponseForbidden("Not authorized.")
+
     try:
         book.publish(request.user)
     except NotAuthorizedError: