diff --git a/amadeus/permissions.py b/amadeus/permissions.py new file mode 100644 index 0000000..78bb281 --- /dev/null +++ b/amadeus/permissions.py @@ -0,0 +1,19 @@ +# File used to store functions to handle permissions + +""" + Function to know if a user has permission to: + - Edit Subject + - Delete Subject + - Create Topic inside Subject +""" +def has_subject_permissions(user, subject): + if user.is_staff: + return True + + if user in subject.professor.all(): + return True + + if user in subject.category.coordinators.all(): + return True + + return False diff --git a/topics/views.py b/topics/views.py index e418cfb..39bc7c7 100644 --- a/topics/views.py +++ b/topics/views.py @@ -5,6 +5,8 @@ from django.core.urlresolvers import reverse, reverse_lazy from django.utils.translation import ugettext_lazy as _ from django.contrib.auth.mixins import LoginRequiredMixin +from amadeus.permissions import has_subject_permissions + from subjects.models import Subject from .models import Topic @@ -17,6 +19,15 @@ class CreateView(LoginRequiredMixin, generic.edit.CreateView): template_name = 'topics/create.html' form_class = TopicForm + def dispatch(self, request, *args, **kwargs): + slug = self.kwargs.get('slug', '') + subject = get_object_or_404(Subject, slug = slug) + + if not has_subject_permissions(request.user, subject): + return redirect(reverse_lazy('subjects:home')) + + return super(CreateView, self).dispatch(request, *args, **kwargs) + def get_initial(self): initial = super(CreateView, self).get_initial() -- libgit2 0.21.2