X-Git-Url: https://git.mdrn.pl/redakcja.git/blobdiff_plain/e3d6e94589c1356d3f8d1b7fc36d9f21d966e16a..5a649a9e943f331ec61d2e86c3840397777ccfb6:/apps/catalogue/views.py

diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py
index a11eadb9..d2e135c5 100644
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -16,11 +16,12 @@ from django.contrib.auth.decorators import login_required
 from django.contrib.sites.models import Site
 from django.core.urlresolvers import reverse
 from django import http
-from django.http import Http404, HttpResponse
+from django.http import Http404, HttpResponse, HttpResponseForbidden
 from django.shortcuts import get_object_or_404, render, redirect
 from django.utils.encoding import force_str
 from django.utils.http import urlquote_plus
 from django.views.decorators.http import require_POST
+from unidecode import unidecode
 
 from catalogue import forms
 from catalogue.forms import TagMultipleForm, TagSingleForm
@@ -72,11 +73,11 @@ def logout_then_redirect(request):
 def create_missing(request):
     if request.method == "POST":
         form = forms.DocumentCreateForm(request.POST, request.FILES)
-        # tag_forms = [
-        #     (TagMultipleForm if category.multiple else TagSingleForm)(
-        #         category=category, data=request.POST, prefix=category.dc_tag)
-        #     for category in Category.objects.all()]
-        if form.is_valid():  # and all(tag_form.is_valid() for tag_form in tag_forms):
+        tag_forms = [
+            (TagMultipleForm if category.multiple else TagSingleForm)(
+                category=category, data=request.POST, prefix=category.dc_tag)
+            for category in Category.objects.all()]
+        if form.is_valid() and all(tag_form.is_valid() for tag_form in tag_forms):
             
             if request.user.is_authenticated():
                 creator = request.user
@@ -99,7 +100,10 @@ def create_missing(request):
                 path = settings.MEDIA_ROOT + uppath
                 if not os.path.isdir(path):
                     os.makedirs(path)
-                dest_path = path + cover.name   # UNSAFE
+                cover.name = unidecode(cover.name)
+                dest_path = path + cover.name
+                if not os.path.abspath(dest_path).startswith(os.path.abspath(path)):
+                    raise Http404
                 with open(dest_path, 'w') as destination:
                     for chunk in cover.chunks():
                         destination.write(chunk)
@@ -143,13 +147,13 @@ def create_missing(request):
 
         form = forms.DocumentCreateForm(initial={'owner_organization': org})
 
-        # tag_forms = [
-        #     (TagMultipleForm if category.multiple else TagSingleForm)(category=category, prefix=category.dc_tag)
-        #     for category in Category.objects.all()]
+        tag_forms = [
+            (TagMultipleForm if category.multiple else TagSingleForm)(category=category, prefix=category.dc_tag)
+            for category in Category.objects.all()]
 
     return render(request, "catalogue/document_create_missing.html", {
         "form": form,
-        # "tag_forms": tag_forms,
+        "tag_forms": tag_forms,
 
         "logout_to": '/',
     })
@@ -319,6 +323,8 @@ def book_mobi(request, pk, rev_pk):
 @login_required
 def book_schedule(request, pk):
     book = get_object_or_404(Document, pk=pk, deleted=False)
+    if not book.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
     if request.method == 'POST':
         Plan.objects.filter(document=book).delete()
         for i, (s, name) in enumerate(STAGES):
@@ -349,9 +355,8 @@ def book_schedule(request, pk):
 @login_required
 def book_owner(request, pk):
     doc = get_object_or_404(Document, pk=pk, deleted=False)
-    user_is_owner = doc.owner_organization and doc.owner_organization.is_member(request.user)
-    if not (doc.owner_user == request.user or user_is_owner):
-        raise Http404
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
 
     error = ''
 
@@ -382,8 +387,8 @@ def book_owner(request, pk):
 @login_required
 def book_delete(request, pk):
     doc = get_object_or_404(Document, pk=pk, deleted=False)
-    if not (doc.owner_user == request.user or doc.owner_organization.is_member(request.user)):
-        raise Http404
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
 
     if request.method == 'POST':
         doc.deleted = True
@@ -402,9 +407,9 @@ def publish(request, pk):
     from .models import PublishRecord
     from dvcs.models import Revision
 
-    # FIXME: check permissions
-
     doc = get_object_or_404(Document, pk=pk, deleted=False)
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
     form = forms.DocumentTextPublishForm(request.POST, prefix="textpublish")
     if form.is_valid():
         rev = Revision.objects.get(pk=form.cleaned_data['revision'])
@@ -439,9 +444,10 @@ MIL/PEER team.''' % (doc.meta()['title'], site.domain, reverse('catalogue_html',
 @require_POST
 @login_required
 def unpublish(request, pk):
-    # FIXME: check permissions
-
     doc = get_object_or_404(Document, pk=pk, deleted=False)
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
+
     doc.publish_log.all().delete()
     if request.is_ajax():
         return http.HttpResponse('ok')