--- a/src/ldt/ldt/ldt_utils/views/lignesdetemps.py Mon Apr 08 17:24:42 2013 +0200
+++ b/src/ldt/ldt/ldt_utils/views/lignesdetemps.py Fri Apr 12 18:14:06 2013 +0200
@@ -10,6 +10,7 @@
from ldt.ldt_utils.stat import update_stat_project
from ldt.ldt_utils.utils import LdtUtils, clean_description
from ldt.security.utils import set_forbidden_stream
+from ldt.security.permissionchecker import check_object_perm_for_user
from ldt.utils.projectldt_parser import absolute_src_xml, relative_src_xml
from ldt.utils.url import absstatic, absurl
from ldt.utils.web_url_management import get_web_url
@@ -195,16 +196,16 @@
except Project.DoesNotExist:
return HttpResponseRedirect(reverse("ldt.ldt_utils.views.workspace.home"))
- if ldt.state == 2 or not request.user.has_perm('change_project', ldt): #published
+ if ldt.state == 2 or not check_object_perm_for_user(ldt, 'change_project', request.user):
readonly = 'true'
else:
readonly = 'false'
-
+
if full:
template_path = 'ldt/ldt_utils/init_ldt_full.html'
else:
template_path = 'ldt/ldt_utils/init_ldt.html'
-
+
return render_to_response(template_path, {'colorurl': colorurl, 'i18nurl': i18nurl, 'language': language_code, 'baseurl': baseurl, 'url': urlStr, 'posturl': posturl, 'id': id, 'readonly': readonly}, context_instance=RequestContext(request))
@@ -214,7 +215,7 @@
doc = ldtgen.generate_init([url], 'ldt.ldt_utils.views.lignesdetemps.' + method, None)
library = doc.xpath('/iri/files/library')[0]
- for c in Content.safe_objects.all():
+ for c in Content.safe_objects.all().select_related("media_obj"):
elem = lxml.etree.SubElement(library, 'file')
elem.set('src', c.iri_url())
if c.videopath :
@@ -302,20 +303,20 @@
#remove html tags added by flash
description = ldtproject.get_description(doc)
new_desc = clean_description(description)
-
+
if new_desc:
desc_node = doc.xpath('/iri/project')[0]
desc_node.set('abstract', new_desc)
ldtproject.ldt = lxml.etree.tostring(doc, pretty_print=True)
-
+
ldtproject.description = new_desc if new_desc else description
#set a new icon for this project
if check_icon_project:
ldtproject.set_icon()
-
+
ldtproject.save()
-
+
else:
ldt = ''
new_contents = []
--- a/src/ldt/ldt/management/commands/reindex.py Mon Apr 08 17:24:42 2013 +0200
+++ b/src/ldt/ldt/management/commands/reindex.py Fri Apr 12 18:14:06 2013 +0200
@@ -18,8 +18,7 @@
help="Index only the content specified by CONTENT_ID."),
make_option("-n", "--nocontent",
dest="no_content",
- action="store",
- type="string",
+ action="store_true",
help="Avoid index only the content specified by CONTENT_ID."),
)
--- a/src/ldt/ldt/security/__init__.py Mon Apr 08 17:24:42 2013 +0200
+++ b/src/ldt/ldt/security/__init__.py Fri Apr 12 18:14:06 2013 +0200
@@ -1,7 +1,8 @@
from django.conf import settings
from django.contrib.contenttypes.models import ContentType
from django.contrib.auth.models import User
-from django.core.signals import request_started
+from django.core.signals import request_started
+from ldt.security.permissionchecker import check_object_perm_for_user
try:
from threading import local
@@ -94,7 +95,8 @@
if not user:
user = get_anonymous_user()
- if self.pk and not user.has_perm('change_%s' % cls_name, self):
+ # use our check_object_perm_for_user instead of not optimized guardian has_perm
+ if self.pk and not check_object_perm_for_user(self, 'change_%s' % cls_name, user):
raise AttributeError('User %s is not allowed to change object %s' % (user, self))
return func(self, *args, **kwargs)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/ldt/ldt/security/permissionchecker.py Fri Apr 12 18:14:06 2013 +0200
@@ -0,0 +1,34 @@
+from django.contrib.contenttypes.models import ContentType
+from django.contrib.auth.models import Permission
+from guardian.models import UserObjectPermission, GroupObjectPermission
+
+
+def check_object_perm_for_user(obj, perm_name, user):
+ # If user is admin...
+ if user.is_staff:
+ return True
+ # Guardian has_perm request is REALLY long and not optimized.
+ # So we check manually the change_project permission for the user and the user's groups
+ # Get necessary datas
+ model_name = obj.__class__.__name__.lower()
+ content_type = ContentType.objects.get(model=model_name)
+ perm = Permission.objects.get(codename=perm_name)
+ can_change = False
+ # Check for the user
+ try:
+ uop = UserObjectPermission.objects.get(user=user, content_type=content_type, permission=perm, object_pk=obj.pk)
+ if uop:
+ can_change = True
+ except:
+ can_change = False
+ # Check for user's groups if necessary
+ if not can_change:
+ try:
+ gop = GroupObjectPermission.objects.filter(group__user=user, content_type=content_type, permission=perm, object_pk=obj.pk)
+ if gop and len(gop)>0:
+ can_change = True
+ except:
+ can_change = False
+ # End
+ return can_change
+
\ No newline at end of file
--- a/src/ldt/ldt/static/ldt/js/projectscontents.js Mon Apr 08 17:24:42 2013 +0200
+++ b/src/ldt/ldt/static/ldt/js/projectscontents.js Fri Apr 12 18:14:06 2013 +0200
@@ -238,7 +238,7 @@
init_modal_window ('.ldt_link_copy_project', 500, 150, 500, 150, base_node, searchprojectfilterurl);
// Project pagination in workspace home
- $('.projects_page').click(function(e){
+ $('.projects_page',base_node).click(function(e){
num_page = $(this).attr('alt');
if(num_page=="prev"){
num_page = parseInt($('#current_project_page').val()) - 1;