From: Jan Szejko Date: Thu, 30 Mar 2017 14:18:55 +0000 (+0200) Subject: fix permissions X-Git-Url: https://git.mdrn.pl/redakcja.git/commitdiff_plain/4e7aaa55651ce32fed3e729ff6b8da680a30fd36?hp=972798eca6a4dc8e9c7e5bc7cb86cf242a9f3d72 fix permissions --- diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py index a11eadb9..1021c878 100644 --- a/apps/catalogue/views.py +++ b/apps/catalogue/views.py @@ -16,7 +16,7 @@ from django.contrib.auth.decorators import login_required from django.contrib.sites.models import Site from django.core.urlresolvers import reverse from django import http -from django.http import Http404, HttpResponse +from django.http import Http404, HttpResponse, HttpResponseForbidden from django.shortcuts import get_object_or_404, render, redirect from django.utils.encoding import force_str from django.utils.http import urlquote_plus @@ -319,6 +319,8 @@ def book_mobi(request, pk, rev_pk): @login_required def book_schedule(request, pk): book = get_object_or_404(Document, pk=pk, deleted=False) + if not book.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") if request.method == 'POST': Plan.objects.filter(document=book).delete() for i, (s, name) in enumerate(STAGES): @@ -349,6 +351,8 @@ def book_schedule(request, pk): @login_required def book_owner(request, pk): doc = get_object_or_404(Document, pk=pk, deleted=False) + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") user_is_owner = doc.owner_organization and doc.owner_organization.is_member(request.user) if not (doc.owner_user == request.user or user_is_owner): raise Http404 @@ -382,8 +386,8 @@ def book_owner(request, pk): @login_required def book_delete(request, pk): doc = get_object_or_404(Document, pk=pk, deleted=False) - if not (doc.owner_user == request.user or doc.owner_organization.is_member(request.user)): - raise Http404 + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") if request.method == 'POST': doc.deleted = True @@ -402,9 +406,9 @@ def publish(request, pk): from .models import PublishRecord from dvcs.models import Revision - # FIXME: check permissions - doc = get_object_or_404(Document, pk=pk, deleted=False) + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") form = forms.DocumentTextPublishForm(request.POST, prefix="textpublish") if form.is_valid(): rev = Revision.objects.get(pk=form.cleaned_data['revision']) @@ -439,9 +443,10 @@ MIL/PEER team.''' % (doc.meta()['title'], site.domain, reverse('catalogue_html', @require_POST @login_required def unpublish(request, pk): - # FIXME: check permissions - doc = get_object_or_404(Document, pk=pk, deleted=False) + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") + doc.publish_log.all().delete() if request.is_ajax(): return http.HttpResponse('ok') diff --git a/apps/wiki/views.py b/apps/wiki/views.py index 461f1109..6a5f2ac5 100644 --- a/apps/wiki/views.py +++ b/apps/wiki/views.py @@ -55,6 +55,8 @@ def get_history(document): @never_cache def editor(request, pk, template_name='wiki/bootstrap.html'): doc = get_object_or_404(Document, pk=pk, deleted=False) + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") save_form = forms.DocumentTextSaveForm(user=request.user, prefix="textsave") text = doc.materialize() @@ -88,10 +90,10 @@ def editor(request, pk, template_name='wiki/bootstrap.html'): @decorator_from_middleware(GZipMiddleware) def text(request, doc_id): doc = get_object_or_404(Document, pk=doc_id, deleted=False) - # if not doc.book.accessible(request): - # return HttpResponseForbidden("Not authorized.") if request.method == 'POST': + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") form = forms.DocumentTextSaveForm(request.POST, user=request.user, prefix="textsave") if form.is_valid(): if request.user.is_authenticated(): @@ -156,6 +158,8 @@ def revert(request, doc_id): form = forms.DocumentTextRevertForm(request.POST, prefix="textrevert") if form.is_valid(): doc = get_object_or_404(Document, pk=doc_id, deleted=False) + if not doc.can_edit(request.user): + return HttpResponseForbidden("Not authorized.") rev = get_object_or_404(Revision, pk=form.cleaned_data['revision']) comment = form.cleaned_data['comment']