Adding webpage access control

Zambom
1 parent 51979fee
Showing 2 changed files with 46 additions and 1 deletions Show diff stats
amadeus/permissions.py
webpage/views.py
 # File used to store functions to handle permissions
+from topics.models import Resource
+
 """
 	Function to know if a user has permission to:
 		- Edit Subject
@@ -17,3 +19,28 @@ def has_subject_permissions(user, subject):
 		return True
 	return False
+
+"""
+	Function to know if user has permission to:
+		- Access Resource
+"""
+def has_resource_permissions(user, resource):
+	if has_subject_permissions(user, resource.topic.subject):
+		return True
+
+	if resource.visible or resource.topic.repository:
+		if resource.all_students:
+			if subject.students.filter(id = user.id).exists():
+				return True
+
+		if resource.students.filter(id = user.id).exists():
+			return True
+
+		if Resource.objects.filter(id = resource.id, groups__participants__pk = user.pk).exists():
+			return True
+
+	return False
+
+
+
+
@@ -5,7 +5,7 @@ from django.core.urlresolvers import reverse, reverse_lazy
 from django.utils.translation import ugettext_lazy as _
 from django.contrib.auth.mixins import LoginRequiredMixin
-from amadeus.permissions import has_subject_permissions
+from amadeus.permissions import has_subject_permissions, has_resource_permissions
 from topics.models import Topic
@@ -20,6 +20,15 @@ class NewWindowView(LoginRequiredMixin, generic.DetailView):
 	model = Webpage
 	context_object_name = 'webpage'
+	def dispatch(self, request, *args, **kwargs):
+		slug = self.kwargs.get('slug', '')
+		webpage = get_object_or_404(Webpage, slug = slug)
+
+		if not has_resource_permissions(request.user, webpage):
+			return redirect(reverse_lazy('subjects:home'))
+
+		return super(NewWindowView, self).dispatch(request, *args, **kwargs)
+
 class InsideView(LoginRequiredMixin, generic.DetailView):
 	login_url = reverse_lazy("users:login")
 	redirect_field_name = 'next'
@@ -28,6 +37,15 @@ class InsideView(LoginRequiredMixin, generic.DetailView):
 	model = Webpage
 	context_object_name = 'webpage'	
+	def dispatch(self, request, *args, **kwargs):
+		slug = self.kwargs.get('slug', '')
+		webpage = get_object_or_404(Webpage, slug = slug)
+
+		if not has_resource_permissions(request.user, webpage):
+			return redirect(reverse_lazy('subjects:home'))
+
+		return super(InsideView, self).dispatch(request, *args, **kwargs)
+
 	def get_context_data(self, **kwargs):
 		context = super(InsideView, self).get_context_data(**kwargs)
1	# File used to store functions to handle permissions	1	# File used to store functions to handle permissions
2		2
		3	+from topics.models import Resource
		4	+
3	"""	5	"""
4	Function to know if a user has permission to:	6	Function to know if a user has permission to:
5	- Edit Subject	7	- Edit Subject
	@@ -17,3 +19,28 @@ def has_subject_permissions(user, subject):		@@ -17,3 +19,28 @@ def has_subject_permissions(user, subject):
17	return True	19	return True
18		20
19	return False	21	return False
		22	+
		23	+"""
		24	+ Function to know if user has permission to:
		25	+ - Access Resource
		26	+"""
		27	+def has_resource_permissions(user, resource):
		28	+ if has_subject_permissions(user, resource.topic.subject):
		29	+ return True
		30	+
		31	+ if resource.visible or resource.topic.repository:
		32	+ if resource.all_students:
		33	+ if subject.students.filter(id = user.id).exists():
		34	+ return True
		35	+
		36	+ if resource.students.filter(id = user.id).exists():
		37	+ return True
		38	+
		39	+ if Resource.objects.filter(id = resource.id, groups__participants__pk = user.pk).exists():
		40	+ return True
		41	+
		42	+ return False
		43	+
		44	+
		45	+
		46	+
	@@ -5,7 +5,7 @@ from django.core.urlresolvers import reverse, reverse_lazy		@@ -5,7 +5,7 @@ from django.core.urlresolvers import reverse, reverse_lazy
5	from django.utils.translation import ugettext_lazy as _	5	from django.utils.translation import ugettext_lazy as _
6	from django.contrib.auth.mixins import LoginRequiredMixin	6	from django.contrib.auth.mixins import LoginRequiredMixin
7		7
8	-from amadeus.permissions import has_subject_permissions	8	+from amadeus.permissions import has_subject_permissions, has_resource_permissions
9		9
10	from topics.models import Topic	10	from topics.models import Topic
11		11
	@@ -20,6 +20,15 @@ class NewWindowView(LoginRequiredMixin, generic.DetailView):		@@ -20,6 +20,15 @@ class NewWindowView(LoginRequiredMixin, generic.DetailView):
20	model = Webpage	20	model = Webpage
21	context_object_name = 'webpage'	21	context_object_name = 'webpage'
22		22
		23	+ def dispatch(self, request, args, *kwargs):
		24	+ slug = self.kwargs.get('slug', '')
		25	+ webpage = get_object_or_404(Webpage, slug = slug)
		26	+
		27	+ if not has_resource_permissions(request.user, webpage):
		28	+ return redirect(reverse_lazy('subjects:home'))
		29	+
		30	+ return super(NewWindowView, self).dispatch(request, args, *kwargs)
		31	+
23	class InsideView(LoginRequiredMixin, generic.DetailView):	32	class InsideView(LoginRequiredMixin, generic.DetailView):
24	login_url = reverse_lazy("users:login")	33	login_url = reverse_lazy("users:login")
25	redirect_field_name = 'next'	34	redirect_field_name = 'next'
	@@ -28,6 +37,15 @@ class InsideView(LoginRequiredMixin, generic.DetailView):		@@ -28,6 +37,15 @@ class InsideView(LoginRequiredMixin, generic.DetailView):
28	model = Webpage	37	model = Webpage
29	context_object_name = 'webpage'	38	context_object_name = 'webpage'
30		39
		40	+ def dispatch(self, request, args, *kwargs):
		41	+ slug = self.kwargs.get('slug', '')
		42	+ webpage = get_object_or_404(Webpage, slug = slug)
		43	+
		44	+ if not has_resource_permissions(request.user, webpage):
		45	+ return redirect(reverse_lazy('subjects:home'))
		46	+
		47	+ return super(InsideView, self).dispatch(request, args, *kwargs)
		48	+
31	def get_context_data(self, **kwargs):	49	def get_context_data(self, **kwargs):
32	context = super(InsideView, self).get_context_data(**kwargs)	50	context = super(InsideView, self).get_context_data(**kwargs)
33		51