Download as
Browse Code »

Commit 3d8091fe4994dead594de4db21f0a0c6a48e0f3c

Authored by ailsoncgt
1 parent 2c886a7e
Exists in master and in 5 other branches amadeus_univasf, dev, image-crop, pdf_file_html, refactoring

Change permissions in file update #128 #129 #130

Showing 1 changed file with 8 additions and 3 deletions   Show diff stats
files/views.py
  Diff comments   View file @3d8091f
@@ -5,7 +5,7 @@ from django.contrib import messages @@ -5,7 +5,7 @@ from django.contrib import messages
5 from django.core.urlresolvers import reverse_lazy 5 from django.core.urlresolvers import reverse_lazy
6 from django.contrib.auth.mixins import LoginRequiredMixin 6 from django.contrib.auth.mixins import LoginRequiredMixin
7 from rolepermissions.mixins import HasRoleMixin 7 from rolepermissions.mixins import HasRoleMixin
8 -from rolepermissions.verifications import has_role 8 +from rolepermissions.verifications import has_role, has_object_permission
9 from .forms import FileForm, UpdateFileForm 9 from .forms import FileForm, UpdateFileForm
10 from .models import TopicFile 10 from .models import TopicFile
11 from .utils import mime_type_to_material_icons 11 from .utils import mime_type_to_material_icons
@@ -179,7 +179,12 @@ class UpdateFile(LoginRequiredMixin, HasRoleMixin, LogMixin, generic.UpdateView) @@ -179,7 +179,12 @@ class UpdateFile(LoginRequiredMixin, HasRoleMixin, LogMixin, generic.UpdateView)
179 179
180 return context 180 return context
181 181
182 - 182 + def dispatch(self, *args, **kwargs):
  183 + file = get_object_or_404(TopicFile, slug = self.kwargs.get('slug'))
  184 + if(not has_object_permission('edit_file', self.request.user, file) or not(self.request.user in file.topic.subject.professors.all())):
  185 + return self.handle_no_permission()
  186 + return super(UpdateFile, self).dispatch(*args, **kwargs)
  187 +
183 def form_valid(self, form): 188 def form_valid(self, form):
184 self.object = form.save() 189 self.object = form.save()
185 190
@@ -224,7 +229,7 @@ class DeleteFile(LoginRequiredMixin, HasRoleMixin, LogMixin, generic.DeleteView) @@ -224,7 +229,7 @@ class DeleteFile(LoginRequiredMixin, HasRoleMixin, LogMixin, generic.DeleteView)
224 229
225 def dispatch(self, *args, **kwargs): 230 def dispatch(self, *args, **kwargs):
226 file = get_object_or_404(TopicFile, slug = self.kwargs.get('slug')) 231 file = get_object_or_404(TopicFile, slug = self.kwargs.get('slug'))
227 - if(not (file.topic.owner == self.request.user) and not(has_role(self.request.user, 'system_admin')) ): 232 + if(not(self.request.user in file.topic.subject.professors.all()) and not(has_role(self.request.user, 'system_admin'))):
228 return self.handle_no_permission() 233 return self.handle_no_permission()
229 return super(DeleteFile, self).dispatch(*args, **kwargs) 234 return super(DeleteFile, self).dispatch(*args, **kwargs)
230 235