X-Git-Url: https://git.mdrn.pl/redakcja.git/blobdiff_plain/c4ca6c62fbc28fc81a472b1917c36af4228a6d32..ddf19efc791510fde4615c00cc85299c213d5924:/apps/catalogue/views.py?ds=sidebyside diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py index b8b6b89e..1f3130a0 100644 --- a/apps/catalogue/views.py +++ b/apps/catalogue/views.py @@ -16,13 +16,15 @@ from django.contrib.auth.decorators import login_required from django.contrib.sites.models import Site from django.core.urlresolvers import reverse from django import http -from django.http import Http404, HttpResponse +from django.http import Http404, HttpResponse, HttpResponseForbidden from django.shortcuts import get_object_or_404, render, redirect from django.utils.encoding import force_str from django.utils.http import urlquote_plus from django.views.decorators.http import require_POST +from unidecode import unidecode from catalogue import forms +from catalogue.filters import DocumentFilterSet from catalogue.forms import TagMultipleForm, TagSingleForm from catalogue.helpers import active_tab from catalogue.models import Category @@ -72,11 +74,11 @@ def logout_then_redirect(request): def create_missing(request): if request.method == "POST": form = forms.DocumentCreateForm(request.POST, request.FILES) - # tag_forms = [ - # (TagMultipleForm if category.multiple else TagSingleForm)( - # category=category, data=request.POST, prefix=category.dc_tag) - # for category in Category.objects.all()] - if form.is_valid(): # and all(tag_form.is_valid() for tag_form in tag_forms): + tag_forms = [ + (TagMultipleForm if category.multiple else TagSingleForm)( + category=category, data=request.POST, prefix=category.dc_tag) + for category in Category.objects.all()] + if form.is_valid() and all(tag_form.is_valid() for tag_form in tag_forms): if request.user.is_authenticated(): creator = request.user @@ -93,13 +95,19 @@ def create_missing(request): doc = Document.objects.create(**kwargs) + for tag_form in tag_forms: + tag_form.save(instance=doc) + cover = request.FILES.get('cover') if cover: uppath = 'uploads/%d/' % doc.pk path = settings.MEDIA_ROOT + uppath if not os.path.isdir(path): os.makedirs(path) - dest_path = path + cover.name # UNSAFE + cover.name = unidecode(cover.name) + dest_path = path + cover.name + if not os.path.abspath(dest_path).startswith(os.path.abspath(path)): + raise Http404 with open(dest_path, 'w') as destination: for chunk in cover.chunks(): destination.write(chunk) @@ -112,9 +120,7 @@ def create_missing(request): ''' + form.cleaned_data['publisher'] + ''' ''' + form.cleaned_data['description'] + ''' - ''' + form.cleaned_data['language'] + ''' - ''' + form.cleaned_data['rights'] + ''' - ''' + form.cleaned_data['audience'] + ''' + ''' + '\n'.join(tag_form.metadata_rows() for tag_form in tag_forms) + ''' ''' + cover_url + '''
''' + title + '''
@@ -143,13 +149,14 @@ def create_missing(request): form = forms.DocumentCreateForm(initial={'owner_organization': org}) - # tag_forms = [ - # (TagMultipleForm if category.multiple else TagSingleForm)(category=category, prefix=category.dc_tag) - # for category in Category.objects.all()] + tag_forms = [ + (TagMultipleForm if category.multiple else TagSingleForm)( + category=category, tutorial_no=i, prefix=category.dc_tag) + for i, category in enumerate(Category.objects.all(), start=2)] return render(request, "catalogue/document_create_missing.html", { "form": form, - # "tag_forms": tag_forms, + "tag_forms": tag_forms, "logout_to": '/', }) @@ -319,9 +326,11 @@ def book_mobi(request, pk, rev_pk): @login_required def book_schedule(request, pk): book = get_object_or_404(Document, pk=pk, deleted=False) + if not book.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") if request.method == 'POST': Plan.objects.filter(document=book).delete() - for i, s in enumerate(STAGES): + for i, (s, name) in enumerate(STAGES): user_id = request.POST.get('s%d-user' % i) deadline = request.POST.get('s%d-deadline' % i) or None Plan.objects.create(document=book, stage=s, user_id=user_id, deadline=deadline) @@ -333,7 +342,7 @@ def book_schedule(request, pk): for p in Plan.objects.filter(document=book): current[p.stage] = (getattr(p.user, 'pk', None), (p.deadline.isoformat() if p.deadline else None)) - schedule = [(i, s, current.get(s, ())) for (i, s) in enumerate(STAGES)] + schedule = [(i, s, current.get(s, ())) for i, (s, name) in enumerate(STAGES)] if book.owner_organization: people = [m.user for m in book.owner_organization.membership_set.exclude(status='pending')] @@ -349,9 +358,8 @@ def book_schedule(request, pk): @login_required def book_owner(request, pk): doc = get_object_or_404(Document, pk=pk, deleted=False) - user_is_owner = doc.owner_organization and doc.owner_organization.is_member(request.user) - if not (doc.owner_user == request.user or user_is_owner): - raise Http404 + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") error = '' @@ -382,8 +390,8 @@ def book_owner(request, pk): @login_required def book_delete(request, pk): doc = get_object_or_404(Document, pk=pk, deleted=False) - if not (doc.owner_user == request.user or doc.owner_organization.is_member(request.user)): - raise Http404 + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") if request.method == 'POST': doc.deleted = True @@ -402,9 +410,9 @@ def publish(request, pk): from .models import PublishRecord from dvcs.models import Revision - # FIXME: check permissions - doc = get_object_or_404(Document, pk=pk, deleted=False) + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") form = forms.DocumentTextPublishForm(request.POST, prefix="textpublish") if form.is_valid(): rev = Revision.objects.get(pk=form.cleaned_data['revision']) @@ -439,9 +447,10 @@ MIL/PEER team.''' % (doc.meta()['title'], site.domain, reverse('catalogue_html', @require_POST @login_required def unpublish(request, pk): - # FIXME: check permissions - doc = get_object_or_404(Document, pk=pk, deleted=False) + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") + doc.publish_log.all().delete() if request.is_ajax(): return http.HttpResponse('ok') @@ -502,12 +511,16 @@ def fork(request, pk): def upcoming(request): + f = DocumentFilterSet(request.GET, queryset=Document.objects.filter(deleted=False).filter(publish_log=None)) return render(request, "catalogue/upcoming.html", { - 'objects_list': Document.objects.filter(deleted=False).filter(publish_log=None), + 'filter_set': f, + 'link_url': 'catalogue_preview', }) def finished(request): + f = DocumentFilterSet(request.GET, queryset=Document.objects.filter(deleted=False).exclude(publish_log=None)) return render(request, "catalogue/finished.html", { - 'objects_list': Document.objects.filter(deleted=False).exclude(publish_log=None), + 'filter_set': f, + 'link_url': 'catalogue_html', })