Resolving url permissions [Issues: #192 & #195]

Zambom
1 parent fdd2a50b
Showing 4 changed files with 58 additions and 2 deletions Show diff stats
courses/permissions.py
courses/templates/course/view.html
courses/templatetags/custom_filters.py
courses/views.py
@@ -2,6 +2,19 @@ from rolepermissions.permissions import register_object_checker
 from amadeus.roles import SystemAdmin
  
 @register_object_checker()
+def view_topic(role, user, topic):
+    if (role == SystemAdmin):
+        return True
+
+    if (user in topic.subject.course.professors.all() and user in topic.subject.professors.all()):
+        return True
+
+    if (user in topic.subject.course.students.all() and user in topic.subject.students.all()):
+        return True
+
+    return False
+
+@register_object_checker()
 def edit_topic(role, user, topic):
     if (role == SystemAdmin):
         return True
@@ -12,6 +25,19 @@ def edit_topic(role, user, topic):
     return False
  
 @register_object_checker()
+def view_subject(role, user, subject):
+    if (role == SystemAdmin):
+        return True
+
+    if (user in subject.course.professors.all() and user in subject.professors.all()):
+        return True
+
+    if (user in subject.course.students.all() and user in subject.students.all()):
+        return True
+
+    return False
+
+@register_object_checker()
 def edit_subject(role, user, subject):
     if (role == SystemAdmin):
         return True
@@ -157,7 +157,7 @@
                     <p><b>{% trans "End" %}: </b>{{subject.end_date}}</p>
                   </div>
                 </div>
-                <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user|show_subject_subscribe:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
+                <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user|hide_subscribe_view_btn:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
             </div>
         </div>
       {% endfor %}
@@ -209,7 +209,7 @@
                     <p><b>{% trans "End" %}: </b>{{subject.end_date}}</p>
                   </div>
                 </div>
-                <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user|show_subject_subscribe:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
+                <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user|hide_subscribe_view_btn:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
             </div>
         </div>
             {% endif %}
@@ -4,6 +4,19 @@ from rolepermissions.verifications import has_role
 register = template.Library()
  
 @register.filter
+def hide_subscribe_view_btn(user, subject):
+	if not user is None:
+		if user.is_authenticated:
+			if has_role(user, 'student') and not user.is_staff:
+				if user in subject.course.students.all():
+					if not user in subject.students.all():
+						return True
+				else:
+					return True
+
+	return False
+
+@register.filter
 def show_subject_subscribe(user, subject):
 	if not user is None:
 		if user.is_authenticated:
@@ -210,6 +210,7 @@ class CourseView( NotificationMixin, generic.DetailView):
 		courses = None
 		context = super(CourseView, self).get_context_data(**kwargs)
 		course = get_object_or_404(Course, slug = self.kwargs.get('slug'))
+
 		if has_role(self.request.user,'system_admin'):
 			subjects = course.subjects.all()
 		elif has_role(self.request.user,'professor'):
@@ -381,6 +382,14 @@ class SubjectsView(LoginRequiredMixin, generic.ListView):
 	context_object_name = 'subjects'
 	model = Subject
  
+	def dispatch(self, *args, **kwargs):
+		subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
+
+		if(not has_object_permission('view_subject', self.request.user, subject)):
+			return self.handle_no_permission()
+
+		return super(SubjectsView, self).dispatch(*args, **kwargs)
+
 	def get_queryset(self):
 		subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
 		course = subject.course
@@ -428,6 +437,14 @@ class TopicsView(LoginRequiredMixin, generic.ListView):
 	context_object_name = 'topics'
 	model = Topic
  
+	def dispatch(self, *args, **kwargs):
+		topic = get_object_or_404(Topic, slug = self.kwargs.get('slug'))
+
+		if(not has_object_permission('view_topic', self.request.user, topic)):
+			return self.handle_no_permission()
+
+		return super(TopicsView, self).dispatch(*args, **kwargs)
+
 	def get_queryset(self):
 		topic = get_object_or_404(Topic, slug = self.kwargs.get('slug'))
 		subject = topic.subject
...	...	@@ -2,6 +2,19 @@ from rolepermissions.permissions import register_object_checker
2	2	from amadeus.roles import SystemAdmin
3	3
4	4	@register_object_checker()
	5	+def view_topic(role, user, topic):
	6	+ if (role == SystemAdmin):
	7	+ return True
	8	+
	9	+ if (user in topic.subject.course.professors.all() and user in topic.subject.professors.all()):
	10	+ return True
	11	+
	12	+ if (user in topic.subject.course.students.all() and user in topic.subject.students.all()):
	13	+ return True
	14	+
	15	+ return False
	16	+
	17	+@register_object_checker()
5	18	def edit_topic(role, user, topic):
6	19	if (role == SystemAdmin):
7	20	return True
...	...	@@ -12,6 +25,19 @@ def edit_topic(role, user, topic):
12	25	return False
13	26
14	27	@register_object_checker()
	28	+def view_subject(role, user, subject):
	29	+ if (role == SystemAdmin):
	30	+ return True
	31	+
	32	+ if (user in subject.course.professors.all() and user in subject.professors.all()):
	33	+ return True
	34	+
	35	+ if (user in subject.course.students.all() and user in subject.students.all()):
	36	+ return True
	37	+
	38	+ return False
	39	+
	40	+@register_object_checker()
15	41	def edit_subject(role, user, subject):
16	42	if (role == SystemAdmin):
17	43	return True
...	...
...	...	@@ -157,7 +157,7 @@
157	157	<p><b>{% trans "End" %}: </b>{{subject.end_date}}</p>
158	158	</div>
159	159	</div>
160		- <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user\|show_subject_subscribe:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
	160	+ <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user\|hide_subscribe_view_btn:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
161	161	</div>
162	162	</div>
163	163	{% endfor %}
...	...	@@ -209,7 +209,7 @@
209	209	<p><b>{% trans "End" %}: </b>{{subject.end_date}}</p>
210	210	</div>
211	211	</div>
212		- <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user\|show_subject_subscribe:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
	212	+ <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user\|hide_subscribe_view_btn:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
213	213	</div>
214	214	</div>
215	215	{% endif %}
...	...
...	...	@@ -4,6 +4,19 @@ from rolepermissions.verifications import has_role
4	4	register = template.Library()
5	5
6	6	@register.filter
	7	+def hide_subscribe_view_btn(user, subject):
	8	+ if not user is None:
	9	+ if user.is_authenticated:
	10	+ if has_role(user, 'student') and not user.is_staff:
	11	+ if user in subject.course.students.all():
	12	+ if not user in subject.students.all():
	13	+ return True
	14	+ else:
	15	+ return True
	16	+
	17	+ return False
	18	+
	19	+@register.filter
7	20	def show_subject_subscribe(user, subject):
8	21	if not user is None:
9	22	if user.is_authenticated:
...	...
...	...	@@ -210,6 +210,7 @@ class CourseView( NotificationMixin, generic.DetailView):
210	210	courses = None
211	211	context = super(CourseView, self).get_context_data(**kwargs)
212	212	course = get_object_or_404(Course, slug = self.kwargs.get('slug'))
	213	+
213	214	if has_role(self.request.user,'system_admin'):
214	215	subjects = course.subjects.all()
215	216	elif has_role(self.request.user,'professor'):
...	...	@@ -381,6 +382,14 @@ class SubjectsView(LoginRequiredMixin, generic.ListView):
381	382	context_object_name = 'subjects'
382	383	model = Subject
383	384
	385	+ def dispatch(self, args, *kwargs):
	386	+ subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
	387	+
	388	+ if(not has_object_permission('view_subject', self.request.user, subject)):
	389	+ return self.handle_no_permission()
	390	+
	391	+ return super(SubjectsView, self).dispatch(args, *kwargs)
	392	+
384	393	def get_queryset(self):
385	394	subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
386	395	course = subject.course
...	...	@@ -428,6 +437,14 @@ class TopicsView(LoginRequiredMixin, generic.ListView):
428	437	context_object_name = 'topics'
429	438	model = Topic
430	439
	440	+ def dispatch(self, args, *kwargs):
	441	+ topic = get_object_or_404(Topic, slug = self.kwargs.get('slug'))
	442	+
	443	+ if(not has_object_permission('view_topic', self.request.user, topic)):
	444	+ return self.handle_no_permission()
	445	+
	446	+ return super(TopicsView, self).dispatch(args, *kwargs)
	447	+
431	448	def get_queryset(self):
432	449	topic = get_object_or_404(Topic, slug = self.kwargs.get('slug'))
433	450	subject = topic.subject
...	...