comt: changeset 540:dce127afac9d

--- a/src/cm/security.py	Thu Oct 03 10:11:23 2013 +0200
+++ b/src/cm/security.py	Thu Oct 03 10:19:03 2013 +0200
@@ -391,6 +391,45 @@
 
         return _check_local_perm
     return _dec        
-    
+
+def has_global_perm_or_perm_on_text(global_perm_name, perm_name, must_be_logged_in=False, redirect_field_name=REDIRECT_FIELD_NAME, api=False):
+  def _dec(view_func):
+    def _check_global_or_local_perm(request, *args, **kwargs):
+      if must_be_logged_in and not is_authenticated(request):
+        if not api:
+          raise UnauthorizedException('Should be logged in')
+        else:
+          return rc.FORBIDDEN
+
+      if has_perm(request, global_perm_name, text=None): 
+        return view_func(request, *args, **kwargs)
+            
+      if cm_settings.NO_SECURITY:
+        return view_func(request, *args, **kwargs)
 
+      if 'key' in kwargs: 
+        text = get_object_or_404(Text, key=kwargs['key'])                
+      else:
+        raise Exception('no security check possible')
+                
+      # in api, the view has an object as first parameter, request is args[0]
+      if not api:                
+        req = request
+      else:                    
+        req = args[0]     
 
+      if has_perm(req, perm_name, text=text): 
+        return view_func(request, *args, **kwargs)
+            
+      if not api:
+        raise UnauthorizedException('No perm %s' % perm_name)
+      else:
+        return rc.FORBIDDEN
+
+      raise UnauthorizedException('No global perm %s nor local perm %s' %(global_perm_name, perm_name))
+
+    _check_global_or_local_perm.__doc__ = view_func.__doc__
+    _check_global_or_local_perm.__dict__ = view_func.__dict__
+
+    return _check_global_or_local_perm
+  return _dec

--- a/src/cm/views/user.py	Thu Oct 03 10:11:23 2013 +0200
+++ b/src/cm/views/user.py	Thu Oct 03 10:19:03 2013 +0200
@@ -20,7 +20,7 @@
 from django.views.generic.list_detail import object_list
 from django.contrib.auth.decorators import login_required
 from cm.views import get_keys_from_dict
-from cm.security import has_global_perm
+from cm.security import has_global_perm, has_global_perm_or_perm_on_text
 from cm.exception import UnauthorizedException
 from cm.cm_settings import SHOW_EMAILS_IN_ADMIN
 from tagging.models import Tag
@@ -228,20 +228,20 @@
 
 SEPARATORS_RE = re.compile('[;,\n]+')
 
-@has_global_perm('can_manage_workspace')
+@has_global_perm_or_perm_on_text('can_manage_workspace', 'can_manage_text')
 def user_mass_add(request, key=None):
     return user_add(request, key=key, mass=True)
 
-@has_global_perm('can_manage_workspace')
+@has_global_perm_or_perm_on_text('can_manage_workspace', 'can_manage_text')
 def user_add(request, key=None, mass=False):
     text = get_text_by_keys_or_404(key) if key else None
     if request.method == 'POST':
         userform = UserForm(request.POST) if not mass else MassUserForm(request.POST)
-        userroleform = UserRoleForm(request.POST)
+        userroleform = UserRoleForm(request.POST) if not(key) else None
         noteform = UserAddForm(request.POST)
         userprofileform = UserProfileAddForm(request.POST)
         localroleform = UserRoleTextForm(request.POST, prefix="local") if key else None
-        if userform.is_valid() and userroleform.is_valid() and noteform.is_valid() and userprofileform.is_valid() and (not localroleform or localroleform.is_valid()):
+        if userform.is_valid() and (not userroleform or userroleform.is_valid()) and noteform.is_valid() and userprofileform.is_valid() and (not localroleform or localroleform.is_valid()):
             data = userform.cleaned_data
             data.update(userprofileform.cleaned_data)
             data.update(noteform.cleaned_data)
@@ -251,9 +251,10 @@
             for email in [s.strip() for s in SEPARATORS_RE.split(emails)]:
                 if email and not User.objects.filter(email__iexact=email) and email not in email_created:
                     user = UserProfile.objects.create_inactive_user(email, True, **data)
-                    userrole = UserRole.objects.create(user=user, role=userroleform.cleaned_data['role'], text=None)
                     if key:
                         localuserrole = UserRole.objects.create(user=user, role=localroleform.cleaned_data['role'], text=text)
+                    else:
+                        userrole = UserRole.objects.create(user=user, role=userroleform.cleaned_data['role'], text=None)
                     email_created.add(email)
                     register_activity(request, "user_created", user=user)
             display_message(request, ungettext(u'%(nb_users)d user added', u'%(nb_users)d users added', len(email_created)) % {'nb_users': len(email_created)})
@@ -263,7 +264,7 @@
                 return HttpResponseRedirect(reverse('user'))
     else:
         userform = UserForm() if not mass else MassUserForm()
-        userroleform = UserRoleForm()
+        userroleform = UserRoleForm() if not(key) else None
         userprofileform = UserProfileAddForm({'preferred_language' : request.LANGUAGE_CODE})
         noteform = UserAddForm()
         localroleform = UserRoleTextForm(prefix="local") if key else None

author	gibus
	Thu, 03 Oct 2013 10:19:03 +0200
changeset 540	dce127afac9d
parent 539	8f332dd06c1e
child 541	4fd07dd80b25

src/cm/security.py		file \| annotate \| diff \| comparison \| revisions
src/cm/views/user.py		file \| annotate \| diff \| comparison \| revisions