# HG changeset patch # User cavaliet # Date 1365783246 -7200 # Node ID 351782e601e767ee8bcdc5e44ffd2f750a6ac759 # Parent 6c61660e51a20df712a2c69f123c6d97b7578ec4 import modifs from maintenance head diff -r 6c61660e51a2 -r 351782e601e7 src/ldt/ldt/ldt_utils/views/lignesdetemps.py --- a/src/ldt/ldt/ldt_utils/views/lignesdetemps.py Mon Apr 08 17:24:42 2013 +0200 +++ b/src/ldt/ldt/ldt_utils/views/lignesdetemps.py Fri Apr 12 18:14:06 2013 +0200 @@ -10,6 +10,7 @@ from ldt.ldt_utils.stat import update_stat_project from ldt.ldt_utils.utils import LdtUtils, clean_description from ldt.security.utils import set_forbidden_stream +from ldt.security.permissionchecker import check_object_perm_for_user from ldt.utils.projectldt_parser import absolute_src_xml, relative_src_xml from ldt.utils.url import absstatic, absurl from ldt.utils.web_url_management import get_web_url @@ -195,16 +196,16 @@ except Project.DoesNotExist: return HttpResponseRedirect(reverse("ldt.ldt_utils.views.workspace.home")) - if ldt.state == 2 or not request.user.has_perm('change_project', ldt): #published + if ldt.state == 2 or not check_object_perm_for_user(ldt, 'change_project', request.user): readonly = 'true' else: readonly = 'false' - + if full: template_path = 'ldt/ldt_utils/init_ldt_full.html' else: template_path = 'ldt/ldt_utils/init_ldt.html' - + return render_to_response(template_path, {'colorurl': colorurl, 'i18nurl': i18nurl, 'language': language_code, 'baseurl': baseurl, 'url': urlStr, 'posturl': posturl, 'id': id, 'readonly': readonly}, context_instance=RequestContext(request)) @@ -214,7 +215,7 @@ doc = ldtgen.generate_init([url], 'ldt.ldt_utils.views.lignesdetemps.' + method, None) library = doc.xpath('/iri/files/library')[0] - for c in Content.safe_objects.all(): + for c in Content.safe_objects.all().select_related("media_obj"): elem = lxml.etree.SubElement(library, 'file') elem.set('src', c.iri_url()) if c.videopath : @@ -302,20 +303,20 @@ #remove html tags added by flash description = ldtproject.get_description(doc) new_desc = clean_description(description) - + if new_desc: desc_node = doc.xpath('/iri/project')[0] desc_node.set('abstract', new_desc) ldtproject.ldt = lxml.etree.tostring(doc, pretty_print=True) - + ldtproject.description = new_desc if new_desc else description #set a new icon for this project if check_icon_project: ldtproject.set_icon() - + ldtproject.save() - + else: ldt = '' new_contents = [] diff -r 6c61660e51a2 -r 351782e601e7 src/ldt/ldt/management/commands/reindex.py --- a/src/ldt/ldt/management/commands/reindex.py Mon Apr 08 17:24:42 2013 +0200 +++ b/src/ldt/ldt/management/commands/reindex.py Fri Apr 12 18:14:06 2013 +0200 @@ -18,8 +18,7 @@ help="Index only the content specified by CONTENT_ID."), make_option("-n", "--nocontent", dest="no_content", - action="store", - type="string", + action="store_true", help="Avoid index only the content specified by CONTENT_ID."), ) diff -r 6c61660e51a2 -r 351782e601e7 src/ldt/ldt/security/__init__.py --- a/src/ldt/ldt/security/__init__.py Mon Apr 08 17:24:42 2013 +0200 +++ b/src/ldt/ldt/security/__init__.py Fri Apr 12 18:14:06 2013 +0200 @@ -1,7 +1,8 @@ from django.conf import settings from django.contrib.contenttypes.models import ContentType from django.contrib.auth.models import User -from django.core.signals import request_started +from django.core.signals import request_started +from ldt.security.permissionchecker import check_object_perm_for_user try: from threading import local @@ -94,7 +95,8 @@ if not user: user = get_anonymous_user() - if self.pk and not user.has_perm('change_%s' % cls_name, self): + # use our check_object_perm_for_user instead of not optimized guardian has_perm + if self.pk and not check_object_perm_for_user(self, 'change_%s' % cls_name, user): raise AttributeError('User %s is not allowed to change object %s' % (user, self)) return func(self, *args, **kwargs) diff -r 6c61660e51a2 -r 351782e601e7 src/ldt/ldt/security/permissionchecker.py --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/ldt/ldt/security/permissionchecker.py Fri Apr 12 18:14:06 2013 +0200 @@ -0,0 +1,34 @@ +from django.contrib.contenttypes.models import ContentType +from django.contrib.auth.models import Permission +from guardian.models import UserObjectPermission, GroupObjectPermission + + +def check_object_perm_for_user(obj, perm_name, user): + # If user is admin... + if user.is_staff: + return True + # Guardian has_perm request is REALLY long and not optimized. + # So we check manually the change_project permission for the user and the user's groups + # Get necessary datas + model_name = obj.__class__.__name__.lower() + content_type = ContentType.objects.get(model=model_name) + perm = Permission.objects.get(codename=perm_name) + can_change = False + # Check for the user + try: + uop = UserObjectPermission.objects.get(user=user, content_type=content_type, permission=perm, object_pk=obj.pk) + if uop: + can_change = True + except: + can_change = False + # Check for user's groups if necessary + if not can_change: + try: + gop = GroupObjectPermission.objects.filter(group__user=user, content_type=content_type, permission=perm, object_pk=obj.pk) + if gop and len(gop)>0: + can_change = True + except: + can_change = False + # End + return can_change + \ No newline at end of file diff -r 6c61660e51a2 -r 351782e601e7 src/ldt/ldt/static/ldt/js/projectscontents.js --- a/src/ldt/ldt/static/ldt/js/projectscontents.js Mon Apr 08 17:24:42 2013 +0200 +++ b/src/ldt/ldt/static/ldt/js/projectscontents.js Fri Apr 12 18:14:06 2013 +0200 @@ -238,7 +238,7 @@ init_modal_window ('.ldt_link_copy_project', 500, 150, 500, 150, base_node, searchprojectfilterurl); // Project pagination in workspace home - $('.projects_page').click(function(e){ + $('.projects_page',base_node).click(function(e){ num_page = $(this).attr('alt'); if(num_page=="prev"){ num_page = parseInt($('#current_project_page').val()) - 1;