# HG changeset patch
# User verrierj
# Date 1319807434 -7200
# Node ID fce9a02cc0a201316c1a1d0640fa6fa76f031ca5
# Parent 94fdb72b7d565f5750b285acbb4813205f2aeeff
Basic access control for Projects
diff -r 94fdb72b7d56 -r fce9a02cc0a2 src/ldt/ldt/ldt_utils/models.py
--- a/src/ldt/ldt/ldt_utils/models.py Fri Oct 28 11:01:40 2011 +0200
+++ b/src/ldt/ldt/ldt_utils/models.py Fri Oct 28 15:10:34 2011 +0200
@@ -396,7 +396,8 @@
for content in contents:
project.contents.add(content)
project.save()
- assign(['view_project', 'change_project'], user, project)
+ assign('view_project', user, project)
+ assign('change_project', user, project)
return create_ldt(project, user)
def copy_project(self, user, title, description=''):
@@ -405,7 +406,8 @@
project = Project(title=title, owner=owner, description=description)
project = copy_ldt(self, project, user)
project.save()
- assign(['view_project', 'change_project'], user, project)
+ assign('view_project', user, project)
+ assign('change_project', user, project)
for content in self.contents.all():
project.contents.add(content)
project.save()
diff -r 94fdb72b7d56 -r fce9a02cc0a2 src/ldt/ldt/ldt_utils/security.py
--- a/src/ldt/ldt/ldt_utils/security.py Fri Oct 28 11:01:40 2011 +0200
+++ b/src/ldt/ldt/ldt_utils/security.py Fri Oct 28 15:10:34 2011 +0200
@@ -7,18 +7,36 @@
if settings.USE_GROUP_PERMISSIONS:
if not request.user:
raise AttributeError("A user should be set in the request.")
-
- Project.objects_safe.check_perm_for(request.user)
- old_project_manager = Project.objects
- Project.objects = Project.objects_safe
- response = func(request, *args, **kwargs)
-
- Project.objects = old_project_manager
- Project.objects_safe.stop_checking()
+ if Project.objects_safe.has_user():
+ response = func(request, *args, **kwargs)
+ else:
+ Project.objects_safe.check_perm_for(request.user)
+
+ old_project_manager = Project.objects
+ old_save_method = Project.save
+ Project.save = save_security(request.user)(Project.save)
+ Project.objects = Project.objects_safe
+
+ response = func(request, *args, **kwargs)
+
+ Project.objects = old_project_manager
+ Project.save = old_save_method
+ Project.objects_safe.stop_checking()
else:
response = func(request, *args, **kwargs)
return response
return wrapper
-
\ No newline at end of file
+
+
+def save_security(user):
+ def wrapper(func):
+ def wrapped(self, *args, **kwargs):
+
+ if not user.has_perm('change_project', self):
+ raise AttributeError('User %s does not have sufficient permissions to change object %s' % (user, self))
+
+ return func(self, *args, **kwargs)
+ return wrapped
+ return wrapper
\ No newline at end of file
diff -r 94fdb72b7d56 -r fce9a02cc0a2 src/ldt/ldt/ldt_utils/templates/ldt/ldt_utils/groups.html
--- a/src/ldt/ldt/ldt_utils/templates/ldt/ldt_utils/groups.html Fri Oct 28 11:01:40 2011 +0200
+++ b/src/ldt/ldt/ldt_utils/templates/ldt/ldt_utils/groups.html Fri Oct 28 15:10:34 2011 +0200
@@ -43,6 +43,7 @@
init_events(document);
},
error: function(jqXHR, textStatus, errorThrown) {
+ alert(jqXHR.responseText);
resp = $.parseJSON(jqXHR.responseText);
alert(resp.message);
}
diff -r 94fdb72b7d56 -r fce9a02cc0a2 src/ldt/ldt/ldt_utils/templates/ldt/ldt_utils/partial/projectslist.html
--- a/src/ldt/ldt/ldt_utils/templates/ldt/ldt_utils/partial/projectslist.html Fri Oct 28 11:01:40 2011 +0200
+++ b/src/ldt/ldt/ldt_utils/templates/ldt/ldt_utils/partial/projectslist.html Fri Oct 28 15:10:34 2011 +0200
@@ -25,9 +25,9 @@
|
{% ifequal project.state 2 %}
- {% if show_username %}{{ project.owner.username }} : {% endif %} {{ project.title }}
+ {% if show_username %}{{ project.owner.username }} : {% endif %} {{ project.title }}
{% else %}
- {% if show_username %}{{ project.owner.username }} : {% endif %}{{ project.title }}
+ {% if show_username %}{{ project.owner.username }} : {% endif %}{{ project.title }}
{% endifequal %}
|
diff -r 94fdb72b7d56 -r fce9a02cc0a2 src/ldt/ldt/ldt_utils/templates/ldt/ldt_utils/partial/publishedprojectslist.html
--- a/src/ldt/ldt/ldt_utils/templates/ldt/ldt_utils/partial/publishedprojectslist.html Fri Oct 28 11:01:40 2011 +0200
+++ b/src/ldt/ldt/ldt_utils/templates/ldt/ldt_utils/partial/publishedprojectslist.html Fri Oct 28 15:10:34 2011 +0200
@@ -22,7 +22,7 @@
{% ifequal project.state 2 %}
{{ project.title }}
{% else %}
- {{ project.title }}
+ {{ project.title }}
{% endifequal %}
diff -r 94fdb72b7d56 -r fce9a02cc0a2 src/ldt/ldt/ldt_utils/views.py
--- a/src/ldt/ldt/ldt_utils/views.py Fri Oct 28 11:01:40 2011 +0200
+++ b/src/ldt/ldt/ldt_utils/views.py Fri Oct 28 15:10:34 2011 +0200
@@ -45,7 +45,7 @@
@login_required
@group_security
def workspace(request):
-
+
# list of contents
content_list = Content.objects.all() #@UndefinedVariable
@@ -202,6 +202,7 @@
@login_required
+@group_security
def search_index(request):
sform = SearchForm(request.POST)
@@ -694,9 +695,8 @@
return render_to_response('ldt/ldt_utils/save_done.html', {'ldt': ldt, 'id':id, 'title':ldtproject.title, 'contents': new_contents}, context_instance=RequestContext(request))
-
-
@login_required
+@group_security
def publish(request, id, redirect=True):
ldt = get_object_or_404(Project, ldt_id=id)
ldt.state = 2 #published
@@ -706,8 +706,9 @@
return HttpResponseRedirect(reverse("ldt.ldt_utils.views.list_ldt"))
else:
return HttpResponse(simplejson.dumps({'res':True, 'ldt': {'id': ldt.id, 'state':ldt.state, 'ldt_id': ldt.ldt_id}}, ensure_ascii=False), mimetype='application/json')
-
+
@login_required
+@group_security
def unpublish(request, id, redirect=True):
ldt = get_object_or_404(Project, ldt_id=id)
ldt.state = 1 #edition
@@ -768,6 +769,7 @@
return render_to_response('ldt/ldt_utils/create_ldt.html', {'form':form, 'contents':contents, 'create_project_action':reverse("ldt.ldt_utils.views.create_project", args=[iri_id]), 'target_parent':target_parent}, context_instance=RequestContext(request))
@login_required
+@group_security
def update_project(request, ldt_id):
project = get_object_or_404(Project, ldt_id=ldt_id)