Adding webpage access control

Zambom
1 parent 51979fee
Showing 2 changed files with 46 additions and 1 deletions Show diff stats
amadeus/permissions.py
webpage/views.py
 # File used to store functions to handle permissions
  
+from topics.models import Resource
+
 """
 	Function to know if a user has permission to:
 		- Edit Subject
@@ -17,3 +19,28 @@ def has_subject_permissions(user, subject):
 		return True
  
 	return False
+
+"""
+	Function to know if user has permission to:
+		- Access Resource
+"""
+def has_resource_permissions(user, resource):
+	if has_subject_permissions(user, resource.topic.subject):
+		return True
+
+	if resource.visible or resource.topic.repository:
+		if resource.all_students:
+			if subject.students.filter(id = user.id).exists():
+				return True
+
+		if resource.students.filter(id = user.id).exists():
+			return True
+
+		if Resource.objects.filter(id = resource.id, groups__participants__pk = user.pk).exists():
+			return True
+
+	return False
+
+
+
+
@@ -5,7 +5,7 @@ from django.core.urlresolvers import reverse, reverse_lazy
 from django.utils.translation import ugettext_lazy as _
 from django.contrib.auth.mixins import LoginRequiredMixin
  
-from amadeus.permissions import has_subject_permissions
+from amadeus.permissions import has_subject_permissions, has_resource_permissions
  
 from topics.models import Topic
  
@@ -20,6 +20,15 @@ class NewWindowView(LoginRequiredMixin, generic.DetailView):
 	model = Webpage
 	context_object_name = 'webpage'
  
+	def dispatch(self, request, *args, **kwargs):
+		slug = self.kwargs.get('slug', '')
+		webpage = get_object_or_404(Webpage, slug = slug)
+
+		if not has_resource_permissions(request.user, webpage):
+			return redirect(reverse_lazy('subjects:home'))
+
+		return super(NewWindowView, self).dispatch(request, *args, **kwargs)
+
 class InsideView(LoginRequiredMixin, generic.DetailView):
 	login_url = reverse_lazy("users:login")
 	redirect_field_name = 'next'
@@ -28,6 +37,15 @@ class InsideView(LoginRequiredMixin, generic.DetailView):
 	model = Webpage
 	context_object_name = 'webpage'	
  
+	def dispatch(self, request, *args, **kwargs):
+		slug = self.kwargs.get('slug', '')
+		webpage = get_object_or_404(Webpage, slug = slug)
+
+		if not has_resource_permissions(request.user, webpage):
+			return redirect(reverse_lazy('subjects:home'))
+
+		return super(InsideView, self).dispatch(request, *args, **kwargs)
+
 	def get_context_data(self, **kwargs):
 		context = super(InsideView, self).get_context_data(**kwargs)
1	1	# File used to store functions to handle permissions
2	2
	3	+from topics.models import Resource
	4	+
3	5	"""
4	6	Function to know if a user has permission to:
5	7	- Edit Subject
...	...	@@ -17,3 +19,28 @@ def has_subject_permissions(user, subject):
17	19	return True
18	20
19	21	return False
	22	+
	23	+"""
	24	+ Function to know if user has permission to:
	25	+ - Access Resource
	26	+"""
	27	+def has_resource_permissions(user, resource):
	28	+ if has_subject_permissions(user, resource.topic.subject):
	29	+ return True
	30	+
	31	+ if resource.visible or resource.topic.repository:
	32	+ if resource.all_students:
	33	+ if subject.students.filter(id = user.id).exists():
	34	+ return True
	35	+
	36	+ if resource.students.filter(id = user.id).exists():
	37	+ return True
	38	+
	39	+ if Resource.objects.filter(id = resource.id, groups__participants__pk = user.pk).exists():
	40	+ return True
	41	+
	42	+ return False
	43	+
	44	+
	45	+
	46	+
...	...
...	...	@@ -5,7 +5,7 @@ from django.core.urlresolvers import reverse, reverse_lazy
5	5	from django.utils.translation import ugettext_lazy as _
6	6	from django.contrib.auth.mixins import LoginRequiredMixin
7	7
8		-from amadeus.permissions import has_subject_permissions
	8	+from amadeus.permissions import has_subject_permissions, has_resource_permissions
9	9
10	10	from topics.models import Topic
11	11
...	...	@@ -20,6 +20,15 @@ class NewWindowView(LoginRequiredMixin, generic.DetailView):
20	20	model = Webpage
21	21	context_object_name = 'webpage'
22	22
	23	+ def dispatch(self, request, args, *kwargs):
	24	+ slug = self.kwargs.get('slug', '')
	25	+ webpage = get_object_or_404(Webpage, slug = slug)
	26	+
	27	+ if not has_resource_permissions(request.user, webpage):
	28	+ return redirect(reverse_lazy('subjects:home'))
	29	+
	30	+ return super(NewWindowView, self).dispatch(request, args, *kwargs)
	31	+
23	32	class InsideView(LoginRequiredMixin, generic.DetailView):
24	33	login_url = reverse_lazy("users:login")
25	34	redirect_field_name = 'next'
...	...	@@ -28,6 +37,15 @@ class InsideView(LoginRequiredMixin, generic.DetailView):
28	37	model = Webpage
29	38	context_object_name = 'webpage'
30	39
	40	+ def dispatch(self, request, args, *kwargs):
	41	+ slug = self.kwargs.get('slug', '')
	42	+ webpage = get_object_or_404(Webpage, slug = slug)
	43	+
	44	+ if not has_resource_permissions(request.user, webpage):
	45	+ return redirect(reverse_lazy('subjects:home'))
	46	+
	47	+ return super(InsideView, self).dispatch(request, args, *kwargs)
	48	+
31	49	def get_context_data(self, **kwargs):
32	50	context = super(InsideView, self).get_context_data(**kwargs)
33	51
...	...