fix permissions

author Jan Szejko <janek37@gmail.com>

Thu, 30 Mar 2017 14:18:55 +0000 (16:18 +0200)

committer Jan Szejko <janek37@gmail.com>

Thu, 30 Mar 2017 14:18:55 +0000 (16:18 +0200)
author Jan Szejko <janek37@gmail.com>
Thu, 30 Mar 2017 14:18:55 +0000 (16:18 +0200)
committer Jan Szejko <janek37@gmail.com>
Thu, 30 Mar 2017 14:18:55 +0000 (16:18 +0200)
diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py

index a11eadb..1021c87 100644 (file)
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -16,7 +16,7 @@ from django.contrib.auth.decorators import login_required
  from django.contrib.sites.models import Site
  from django.core.urlresolvers import reverse
  from django import http
  from django.contrib.sites.models import Site
  from django.core.urlresolvers import reverse
  from django import http
-from django.http import Http404, HttpResponse
+from django.http import Http404, HttpResponse, HttpResponseForbidden
  from django.shortcuts import get_object_or_404, render, redirect
  from django.utils.encoding import force_str
  from django.utils.http import urlquote_plus
  from django.shortcuts import get_object_or_404, render, redirect
  from django.utils.encoding import force_str
  from django.utils.http import urlquote_plus
@@ -319,6 +319,8 @@ def book_mobi(request, pk, rev_pk):
  @login_required
  def book_schedule(request, pk):
      book = get_object_or_404(Document, pk=pk, deleted=False)
  @login_required
  def book_schedule(request, pk):
      book = get_object_or_404(Document, pk=pk, deleted=False)
+    if not book.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
      if request.method == 'POST':
          Plan.objects.filter(document=book).delete()
          for i, (s, name) in enumerate(STAGES):
      if request.method == 'POST':
          Plan.objects.filter(document=book).delete()
          for i, (s, name) in enumerate(STAGES):
@@ -349,6 +351,8 @@ def book_schedule(request, pk):
  @login_required
  def book_owner(request, pk):
      doc = get_object_or_404(Document, pk=pk, deleted=False)
  @login_required
  def book_owner(request, pk):
      doc = get_object_or_404(Document, pk=pk, deleted=False)
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
      user_is_owner = doc.owner_organization and doc.owner_organization.is_member(request.user)
      if not (doc.owner_user == request.user or user_is_owner):
          raise Http404
      user_is_owner = doc.owner_organization and doc.owner_organization.is_member(request.user)
      if not (doc.owner_user == request.user or user_is_owner):
          raise Http404
@@ -382,8 +386,8 @@ def book_owner(request, pk):
  @login_required
  def book_delete(request, pk):
      doc = get_object_or_404(Document, pk=pk, deleted=False)
  @login_required
  def book_delete(request, pk):
      doc = get_object_or_404(Document, pk=pk, deleted=False)
-    if not (doc.owner_user == request.user or doc.owner_organization.is_member(request.user)):
-        raise Http404
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
  
      if request.method == 'POST':
          doc.deleted = True
  
      if request.method == 'POST':
          doc.deleted = True
@@ -402,9 +406,9 @@ def publish(request, pk):
      from .models import PublishRecord
      from dvcs.models import Revision
  
      from .models import PublishRecord
      from dvcs.models import Revision
  
-    # FIXME: check permissions
-
      doc = get_object_or_404(Document, pk=pk, deleted=False)
      doc = get_object_or_404(Document, pk=pk, deleted=False)
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
      form = forms.DocumentTextPublishForm(request.POST, prefix="textpublish")
      if form.is_valid():
          rev = Revision.objects.get(pk=form.cleaned_data['revision'])
      form = forms.DocumentTextPublishForm(request.POST, prefix="textpublish")
      if form.is_valid():
          rev = Revision.objects.get(pk=form.cleaned_data['revision'])
@@ -439,9 +443,10 @@ MIL/PEER team.''' % (doc.meta()['title'], site.domain, reverse('catalogue_html',
  @require_POST
  @login_required
  def unpublish(request, pk):
  @require_POST
  @login_required
  def unpublish(request, pk):
-    # FIXME: check permissions
-
      doc = get_object_or_404(Document, pk=pk, deleted=False)
      doc = get_object_or_404(Document, pk=pk, deleted=False)
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
+
      doc.publish_log.all().delete()
      if request.is_ajax():
          return http.HttpResponse('ok')
      doc.publish_log.all().delete()
      if request.is_ajax():
          return http.HttpResponse('ok')
diff --git a/apps/wiki/views.py b/apps/wiki/views.py

index 461f110..6a5f2ac 100644 (file)
--- a/apps/wiki/views.py
+++ b/apps/wiki/views.py
@@ -55,6 +55,8 @@ def get_history(document):
  @never_cache
  def editor(request, pk, template_name='wiki/bootstrap.html'):
      doc = get_object_or_404(Document, pk=pk, deleted=False)
  @never_cache
  def editor(request, pk, template_name='wiki/bootstrap.html'):
      doc = get_object_or_404(Document, pk=pk, deleted=False)
+    if not doc.can_edit(request.user):
+        return HttpResponseForbidden("Not authorized.")
  
      save_form = forms.DocumentTextSaveForm(user=request.user, prefix="textsave")
      text = doc.materialize()
  
      save_form = forms.DocumentTextSaveForm(user=request.user, prefix="textsave")
      text = doc.materialize()
@@ -88,10 +90,10 @@ def editor(request, pk, template_name='wiki/bootstrap.html'):
  @decorator_from_middleware(GZipMiddleware)
  def text(request, doc_id):
      doc = get_object_or_404(Document, pk=doc_id, deleted=False)
  @decorator_from_middleware(GZipMiddleware)
  def text(request, doc_id):
      doc = get_object_or_404(Document, pk=doc_id, deleted=False)
-    # if not doc.book.accessible(request):
-    #     return HttpResponseForbidden("Not authorized.")
  
      if request.method == 'POST':
  
      if request.method == 'POST':
+        if not doc.can_edit(request.user):
+            return HttpResponseForbidden("Not authorized.")
          form = forms.DocumentTextSaveForm(request.POST, user=request.user, prefix="textsave")
          if form.is_valid():
              if request.user.is_authenticated():
          form = forms.DocumentTextSaveForm(request.POST, user=request.user, prefix="textsave")
          if form.is_valid():
              if request.user.is_authenticated():
@@ -156,6 +158,8 @@ def revert(request, doc_id):
      form = forms.DocumentTextRevertForm(request.POST, prefix="textrevert")
      if form.is_valid():
          doc = get_object_or_404(Document, pk=doc_id, deleted=False)
      form = forms.DocumentTextRevertForm(request.POST, prefix="textrevert")
      if form.is_valid():
          doc = get_object_or_404(Document, pk=doc_id, deleted=False)
+        if not doc.can_edit(request.user):
+            return HttpResponseForbidden("Not authorized.")
          rev = get_object_or_404(Revision, pk=form.cleaned_data['revision'])
  
          comment = form.cleaned_data['comment']
          rev = get_object_or_404(Revision, pk=form.cleaned_data['revision'])
  
          comment = form.cleaned_data['comment']
author	Jan Szejko <janek37@gmail.com>
	Thu, 30 Mar 2017 14:18:55 +0000 (16:18 +0200)
committer	Jan Szejko <janek37@gmail.com>
	Thu, 30 Mar 2017 14:18:55 +0000 (16:18 +0200)
apps/catalogue/views.py		patch \| blob \| history
apps/wiki/views.py		patch \| blob \| history