From 02d981adc42c751637025b083044affc379213a2 Mon Sep 17 00:00:00 2001 From: Zambom Date: Mon, 23 Jan 2017 20:50:36 -0200 Subject: [PATCH] Adding webpage access control --- amadeus/permissions.py | 27 +++++++++++++++++++++++++++ webpage/views.py | 20 +++++++++++++++++++- 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/amadeus/permissions.py b/amadeus/permissions.py index c7486de..c36108e 100644 --- a/amadeus/permissions.py +++ b/amadeus/permissions.py @@ -1,5 +1,7 @@ # File used to store functions to handle permissions +from topics.models import Resource + """ Function to know if a user has permission to: - Edit Subject @@ -17,3 +19,28 @@ def has_subject_permissions(user, subject): return True return False + +""" + Function to know if user has permission to: + - Access Resource +""" +def has_resource_permissions(user, resource): + if has_subject_permissions(user, resource.topic.subject): + return True + + if resource.visible or resource.topic.repository: + if resource.all_students: + if subject.students.filter(id = user.id).exists(): + return True + + if resource.students.filter(id = user.id).exists(): + return True + + if Resource.objects.filter(id = resource.id, groups__participants__pk = user.pk).exists(): + return True + + return False + + + + diff --git a/webpage/views.py b/webpage/views.py index 68d352e..3fac06d 100644 --- a/webpage/views.py +++ b/webpage/views.py @@ -5,7 +5,7 @@ from django.core.urlresolvers import reverse, reverse_lazy from django.utils.translation import ugettext_lazy as _ from django.contrib.auth.mixins import LoginRequiredMixin -from amadeus.permissions import has_subject_permissions +from amadeus.permissions import has_subject_permissions, has_resource_permissions from topics.models import Topic @@ -20,6 +20,15 @@ class NewWindowView(LoginRequiredMixin, generic.DetailView): model = Webpage context_object_name = 'webpage' + def dispatch(self, request, *args, **kwargs): + slug = self.kwargs.get('slug', '') + webpage = get_object_or_404(Webpage, slug = slug) + + if not has_resource_permissions(request.user, webpage): + return redirect(reverse_lazy('subjects:home')) + + return super(NewWindowView, self).dispatch(request, *args, **kwargs) + class InsideView(LoginRequiredMixin, generic.DetailView): login_url = reverse_lazy("users:login") redirect_field_name = 'next' @@ -28,6 +37,15 @@ class InsideView(LoginRequiredMixin, generic.DetailView): model = Webpage context_object_name = 'webpage' + def dispatch(self, request, *args, **kwargs): + slug = self.kwargs.get('slug', '') + webpage = get_object_or_404(Webpage, slug = slug) + + if not has_resource_permissions(request.user, webpage): + return redirect(reverse_lazy('subjects:home')) + + return super(InsideView, self).dispatch(request, *args, **kwargs) + def get_context_data(self, **kwargs): context = super(InsideView, self).get_context_data(**kwargs) -- libgit2 0.21.2