From 02d981adc42c751637025b083044affc379213a2 Mon Sep 17 00:00:00 2001
From: Zambom <erikzambom@hotmail.com>
Date: Mon, 23 Jan 2017 20:50:36 -0200
Subject: [PATCH] Adding webpage access control

---
 amadeus/permissions.py | 27 +++++++++++++++++++++++++++
 webpage/views.py       | 20 +++++++++++++++++++-
 2 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/amadeus/permissions.py b/amadeus/permissions.py
index c7486de..c36108e 100644
--- a/amadeus/permissions.py
+++ b/amadeus/permissions.py
@@ -1,5 +1,7 @@
 # File used to store functions to handle permissions
 
+from topics.models import Resource
+
 """
 	Function to know if a user has permission to:
 		- Edit Subject
@@ -17,3 +19,28 @@ def has_subject_permissions(user, subject):
 		return True
 
 	return False
+
+"""
+	Function to know if user has permission to:
+		- Access Resource
+"""
+def has_resource_permissions(user, resource):
+	if has_subject_permissions(user, resource.topic.subject):
+		return True
+
+	if resource.visible or resource.topic.repository:
+		if resource.all_students:
+			if subject.students.filter(id = user.id).exists():
+				return True
+
+		if resource.students.filter(id = user.id).exists():
+			return True
+
+		if Resource.objects.filter(id = resource.id, groups__participants__pk = user.pk).exists():
+			return True
+
+	return False
+
+
+
+
diff --git a/webpage/views.py b/webpage/views.py
index 68d352e..3fac06d 100644
--- a/webpage/views.py
+++ b/webpage/views.py
@@ -5,7 +5,7 @@ from django.core.urlresolvers import reverse, reverse_lazy
 from django.utils.translation import ugettext_lazy as _
 from django.contrib.auth.mixins import LoginRequiredMixin
 
-from amadeus.permissions import has_subject_permissions
+from amadeus.permissions import has_subject_permissions, has_resource_permissions
 
 from topics.models import Topic
 
@@ -20,6 +20,15 @@ class NewWindowView(LoginRequiredMixin, generic.DetailView):
 	model = Webpage
 	context_object_name = 'webpage'
 
+	def dispatch(self, request, *args, **kwargs):
+		slug = self.kwargs.get('slug', '')
+		webpage = get_object_or_404(Webpage, slug = slug)
+
+		if not has_resource_permissions(request.user, webpage):
+			return redirect(reverse_lazy('subjects:home'))
+
+		return super(NewWindowView, self).dispatch(request, *args, **kwargs)
+
 class InsideView(LoginRequiredMixin, generic.DetailView):
 	login_url = reverse_lazy("users:login")
 	redirect_field_name = 'next'
@@ -28,6 +37,15 @@ class InsideView(LoginRequiredMixin, generic.DetailView):
 	model = Webpage
 	context_object_name = 'webpage'	
 
+	def dispatch(self, request, *args, **kwargs):
+		slug = self.kwargs.get('slug', '')
+		webpage = get_object_or_404(Webpage, slug = slug)
+
+		if not has_resource_permissions(request.user, webpage):
+			return redirect(reverse_lazy('subjects:home'))
+
+		return super(InsideView, self).dispatch(request, *args, **kwargs)
+
 	def get_context_data(self, **kwargs):
 		context = super(InsideView, self).get_context_data(**kwargs)
 
--
libgit2 0.21.2