# HG changeset patch # User verrierj # Date 1328183310 -3600 # Node ID 4be5eba42451ceaaf55675a963d8551ec0c248c5 # Parent 39a7b09be44f11618fcb5a12c13d69b54305c9e6 Contents objects are not public by default diff -r 39a7b09be44f -r 4be5eba42451 src/ldt/ldt/security/__init__.py --- a/src/ldt/ldt/security/__init__.py Wed Feb 01 15:29:34 2012 +0100 +++ b/src/ldt/ldt/security/__init__.py Thu Feb 02 12:48:30 2012 +0100 @@ -47,13 +47,13 @@ cls_list = get_models_to_protect() if cls_list: for cls in get_models_to_protect(): - protect_model(cls) + protect_model(cls) _models_are_protected = True def unprotect_models(): for cls in get_models_to_protect(): - unprotect_model(cls) + unprotect_model(cls) _models_are_protected = False @@ -75,7 +75,8 @@ cls.unsafe_delete = cls.delete class_name = cls.__name__.lower() cls.save = change_security(class_name)(cls.save) - cls.delete = change_security(class_name)(cls.delete) + cls.delete = change_security(class_name)(cls.delete) + cls.safe_objects.check_perm = True def unprotect_model(cls): if hasattr(cls, 'unsafe_save'): @@ -83,7 +84,6 @@ cls.delete = cls.unsafe_delete del cls.unsafe_save del cls.unsafe_delete - cls.safe_objects.user = None cls.safe_objects.check_perm = False def change_security(cls_name): diff -r 39a7b09be44f -r 4be5eba42451 src/ldt/ldt/security/command.py --- a/src/ldt/ldt/security/command.py Wed Feb 01 15:29:34 2012 +0100 +++ b/src/ldt/ldt/security/command.py Thu Feb 02 12:48:30 2012 +0100 @@ -44,11 +44,7 @@ if user.has_perm('view_content', content): assign('ldt_utils.view_media', user, content.media_obj) - if verbose: - print "Set content permissions..." - for c in list_model['Content'].objects.all(): - c.is_public = True - + for admin in list_model['User'].objects.filter(is_superuser=True): for g in list_model['Group'].objects.all(): g.user_set.add(admin) \ No newline at end of file diff -r 39a7b09be44f -r 4be5eba42451 src/ldt/ldt/security/manager.py --- a/src/ldt/ldt/security/manager.py Wed Feb 01 15:29:34 2012 +0100 +++ b/src/ldt/ldt/security/manager.py Thu Feb 02 12:48:30 2012 +0100 @@ -5,9 +5,8 @@ class SafeManager(Manager): use_for_related_fields = True - def __init__(self, user=None, check_perm=False): + def __init__(self, check_perm=False): super(SafeManager, self).__init__() - self.user = user self.check_perm = check_perm def get_query_set(self): @@ -15,17 +14,16 @@ if not self.check_perm: return super(SafeManager, self).get_query_set() - if not self.user: - self.user = get_current_user() + user = get_current_user() - if not self.user: + if not user: raise AttributeError("No user is attached to the current thread.") - if not self.user.is_authenticated(): - self.user = get_anonymous_user() + if not user.is_authenticated(): + user = get_anonymous_user() perm_name = '%s.view_%s' % (self.model._meta.app_label, self.model.__name__.lower()) - user_objects = get_objects_for_user(self.user, perm_name, klass=self.model.objects) + user_objects = get_objects_for_user(user, perm_name, klass=self.model.objects) return user_objects \ No newline at end of file diff -r 39a7b09be44f -r 4be5eba42451 src/ldt/ldt/security/utils.py --- a/src/ldt/ldt/security/utils.py Wed Feb 01 15:29:34 2012 +0100 +++ b/src/ldt/ldt/security/utils.py Thu Feb 02 12:48:30 2012 +0100 @@ -27,23 +27,19 @@ cls = cls.model_class() for elem in xml.xpath('/iri/medias/media'): - if not user.is_authenticated(): + content = cls.safe_objects.filter(iri_id=elem.get('id')) + if not content: elem.set('video', settings.FORBIDDEN_STREAM_URL) - else: - content = cls.safe_objects.filter(iri_id=elem.get('id')) - if not content: - elem.set('video', settings.FORBIDDEN_STREAM_URL) return xml def use_forbidden_url(content): - user = get_current_user() + cls = ContentType.objects.get(model='content') + cls = cls.model_class() - if not user.is_authenticated(): - return True - elif "Content" in settings.USE_GROUP_PERMISSIONS and user.has_perm('ldt_utils.view_content', content): + new_content = cls.safe_objects.filter(iri_id=content.iri_id) + if new_content: return False - return True def add_change_attr(user, obj_list):