Editing forum permissions

Zambom
1 parent 115b23d9
Showing 3 changed files with 69 additions and 4 deletions Show diff stats
forum/permissions.py
forum/templates/forum/forum_view.html
forum/views.py
@@ -0,0 +1,32 @@
+from rolepermissions.permissions import register_object_checker
+from amadeus.roles import SystemAdmin
+
+@register_object_checker()
+def view_forum(role, user, forum):
+    if (role == SystemAdmin):
+        return True
+
+    if (user in forum.topic.subject.professors.all() or user in forum.topic.subject.students.all()):
+        return True
+
+    return False
+
+@register_object_checker()
+def edit_forum(role, user, forum):
+    if (role == SystemAdmin):
+        return True
+
+    if (user in forum.topic.subject.professors.all()):
+        return True
+
+    return False
+
+@register_object_checker()
+def delete_forum(role, user, forum):
+    if (role == SystemAdmin):
+        return True
+
+    if (user in forum.topic.subject.professors.all()):
+        return True
+
+    return False
@@ -34,7 +34,7 @@
         </div>
     </div>
  
-    {% if request.user|has_role:'system_admin' or request.user|has_role:'professor' and request.user == post.user %}
+    {% if request.user|has_role:'system_admin' or request.user|has_role:'professor' and request.user in forum.topic.subject.professors.all %}
         <div class="panel panel-primary navigation">
             <div class="panel-heading">
                 <h3 class="panel-title">{% trans 'Actions' %}</h3>
@@ -9,6 +9,9 @@ from django.http import Http404, JsonResponse
 from django.urls import reverse
 from django.template.loader import render_to_string
  
+from rolepermissions.mixins import HasRoleMixin
+from rolepermissions.verifications import has_object_permission
+
 from .models import Forum, Post, PostAnswer
 from courses.models import Topic
 from core.models import Action, Resource
@@ -41,7 +44,9 @@ class ForumIndex(LoginRequiredMixin, generic.ListView):
  
 		return context
  
-class CreateForumView(LoginRequiredMixin, generic.edit.CreateView, NotificationMixin):
+class CreateForumView(LoginRequiredMixin, HasRoleMixin, generic.edit.CreateView, NotificationMixin):
+	allowed_roles = ['professor', 'system_admin']
+
 	login_url = reverse_lazy("core:home")	
 	redirect_field_name = 'next'
  
@@ -69,7 +74,9 @@ def render_forum(request, forum):
  
 	return JsonResponse({'url': str(reverse_lazy('course:forum:view', args = (), kwargs = {'slug': last_forum.slug})), 'forum_id': str(forum), 'name': str(last_forum.name)})
  
-class UpdateForumView(LoginRequiredMixin, generic.UpdateView):
+class UpdateForumView(LoginRequiredMixin, HasRoleMixin, generic.UpdateView):
+	allowed_roles = ['professor', 'system_admin']
+
 	login_url = reverse_lazy("core:home")	
 	redirect_field_name = 'next'
  
@@ -77,6 +84,14 @@ class UpdateForumView(LoginRequiredMixin, generic.UpdateView):
 	form_class = ForumForm
 	model = Forum
  
+	def dispatch(self, *args, **kwargs):
+		forum = get_object_or_404(Forum, id = self.kwargs.get('pk'))
+
+		if(not has_object_permission('edit_forum', self.request.user, forum)):
+			return self.handle_no_permission()
+
+		return super(UpdateForumView, self).dispatch(*args, **kwargs)
+
 	def form_invalid(self, form):
 		return self.render_to_response(self.get_context_data(form = form), status = 400)
  
@@ -93,7 +108,9 @@ def render_edit_forum(request, forum):
  
 	return render(request, 'forum/render_forum.html', context)
  
-class ForumDeleteView(LoginRequiredMixin, generic.DeleteView):
+class ForumDeleteView(LoginRequiredMixin, HasRoleMixin, generic.DeleteView):
+	allowed_roles = ['professor', 'system_admin']
+
 	login_url = reverse_lazy("core:home")
 	redirect_field_name = 'next'
  
@@ -101,6 +118,14 @@ class ForumDeleteView(LoginRequiredMixin, generic.DeleteView):
 	pk_url_kwarg = 'pk'	
 	success_url = reverse_lazy('course:forum:deleted_forum')
  
+	def dispatch(self, *args, **kwargs):
+		forum = get_object_or_404(Forum, id = self.kwargs.get('pk'))
+
+		if(not has_object_permission('delete_forum', self.request.user, forum)):
+			return self.handle_no_permission()
+
+		return super(ForumDeleteView, self).dispatch(*args, **kwargs)
+
 def forum_deleted(request):
 	return HttpResponse(_("Forum deleted successfully."))
  
@@ -112,6 +137,14 @@ class ForumDetailView(LoginRequiredMixin, generic.DetailView):
 	template_name = 'forum/forum_view.html'
 	context_object_name = 'forum'
  
+	def dispatch(self, *args, **kwargs):
+		forum = get_object_or_404(Forum, slug = self.kwargs.get('slug'))
+
+		if(not has_object_permission('view_forum', self.request.user, forum)):
+			return self.handle_no_permission()
+
+		return super(ForumDetailView, self).dispatch(*args, **kwargs)
+
 	def get_context_data(self, **kwargs):
 		context = super(ForumDetailView, self).get_context_data(**kwargs)
 		forum = get_object_or_404(Forum, slug = self.kwargs.get('slug'))
...	...	@@ -0,0 +1,32 @@
	1	+from rolepermissions.permissions import register_object_checker
	2	+from amadeus.roles import SystemAdmin
	3	+
	4	+@register_object_checker()
	5	+def view_forum(role, user, forum):
	6	+ if (role == SystemAdmin):
	7	+ return True
	8	+
	9	+ if (user in forum.topic.subject.professors.all() or user in forum.topic.subject.students.all()):
	10	+ return True
	11	+
	12	+ return False
	13	+
	14	+@register_object_checker()
	15	+def edit_forum(role, user, forum):
	16	+ if (role == SystemAdmin):
	17	+ return True
	18	+
	19	+ if (user in forum.topic.subject.professors.all()):
	20	+ return True
	21	+
	22	+ return False
	23	+
	24	+@register_object_checker()
	25	+def delete_forum(role, user, forum):
	26	+ if (role == SystemAdmin):
	27	+ return True
	28	+
	29	+ if (user in forum.topic.subject.professors.all()):
	30	+ return True
	31	+
	32	+ return False
...	...
...	...	@@ -34,7 +34,7 @@
34	34	</div>
35	35	</div>
36	36
37		- {% if request.user\|has_role:'system_admin' or request.user\|has_role:'professor' and request.user == post.user %}
	37	+ {% if request.user\|has_role:'system_admin' or request.user\|has_role:'professor' and request.user in forum.topic.subject.professors.all %}
38	38	<div class="panel panel-primary navigation">
39	39	<div class="panel-heading">
40	40	<h3 class="panel-title">{% trans 'Actions' %}</h3>
...	...
...	...	@@ -9,6 +9,9 @@ from django.http import Http404, JsonResponse
9	9	from django.urls import reverse
10	10	from django.template.loader import render_to_string
11	11
	12	+from rolepermissions.mixins import HasRoleMixin
	13	+from rolepermissions.verifications import has_object_permission
	14	+
12	15	from .models import Forum, Post, PostAnswer
13	16	from courses.models import Topic
14	17	from core.models import Action, Resource
...	...	@@ -41,7 +44,9 @@ class ForumIndex(LoginRequiredMixin, generic.ListView):
41	44
42	45	return context
43	46
44		-class CreateForumView(LoginRequiredMixin, generic.edit.CreateView, NotificationMixin):
	47	+class CreateForumView(LoginRequiredMixin, HasRoleMixin, generic.edit.CreateView, NotificationMixin):
	48	+ allowed_roles = ['professor', 'system_admin']
	49	+
45	50	login_url = reverse_lazy("core:home")
46	51	redirect_field_name = 'next'
47	52
...	...	@@ -69,7 +74,9 @@ def render_forum(request, forum):
69	74
70	75	return JsonResponse({'url': str(reverse_lazy('course:forum:view', args = (), kwargs = {'slug': last_forum.slug})), 'forum_id': str(forum), 'name': str(last_forum.name)})
71	76
72		-class UpdateForumView(LoginRequiredMixin, generic.UpdateView):
	77	+class UpdateForumView(LoginRequiredMixin, HasRoleMixin, generic.UpdateView):
	78	+ allowed_roles = ['professor', 'system_admin']
	79	+
73	80	login_url = reverse_lazy("core:home")
74	81	redirect_field_name = 'next'
75	82
...	...	@@ -77,6 +84,14 @@ class UpdateForumView(LoginRequiredMixin, generic.UpdateView):
77	84	form_class = ForumForm
78	85	model = Forum
79	86
	87	+ def dispatch(self, args, *kwargs):
	88	+ forum = get_object_or_404(Forum, id = self.kwargs.get('pk'))
	89	+
	90	+ if(not has_object_permission('edit_forum', self.request.user, forum)):
	91	+ return self.handle_no_permission()
	92	+
	93	+ return super(UpdateForumView, self).dispatch(args, *kwargs)
	94	+
80	95	def form_invalid(self, form):
81	96	return self.render_to_response(self.get_context_data(form = form), status = 400)
82	97
...	...	@@ -93,7 +108,9 @@ def render_edit_forum(request, forum):
93	108
94	109	return render(request, 'forum/render_forum.html', context)
95	110
96		-class ForumDeleteView(LoginRequiredMixin, generic.DeleteView):
	111	+class ForumDeleteView(LoginRequiredMixin, HasRoleMixin, generic.DeleteView):
	112	+ allowed_roles = ['professor', 'system_admin']
	113	+
97	114	login_url = reverse_lazy("core:home")
98	115	redirect_field_name = 'next'
99	116
...	...	@@ -101,6 +118,14 @@ class ForumDeleteView(LoginRequiredMixin, generic.DeleteView):
101	118	pk_url_kwarg = 'pk'
102	119	success_url = reverse_lazy('course:forum:deleted_forum')
103	120
	121	+ def dispatch(self, args, *kwargs):
	122	+ forum = get_object_or_404(Forum, id = self.kwargs.get('pk'))
	123	+
	124	+ if(not has_object_permission('delete_forum', self.request.user, forum)):
	125	+ return self.handle_no_permission()
	126	+
	127	+ return super(ForumDeleteView, self).dispatch(args, *kwargs)
	128	+
104	129	def forum_deleted(request):
105	130	return HttpResponse(_("Forum deleted successfully."))
106	131
...	...	@@ -112,6 +137,14 @@ class ForumDetailView(LoginRequiredMixin, generic.DetailView):
112	137	template_name = 'forum/forum_view.html'
113	138	context_object_name = 'forum'
114	139
	140	+ def dispatch(self, args, *kwargs):
	141	+ forum = get_object_or_404(Forum, slug = self.kwargs.get('slug'))
	142	+
	143	+ if(not has_object_permission('view_forum', self.request.user, forum)):
	144	+ return self.handle_no_permission()
	145	+
	146	+ return super(ForumDetailView, self).dispatch(args, *kwargs)
	147	+
115	148	def get_context_data(self, **kwargs):
116	149	context = super(ForumDetailView, self).get_context_data(**kwargs)
117	150	forum = get_object_or_404(Forum, slug = self.kwargs.get('slug'))
...	...