Resolving url permissions [Issues: #192 & #195]

Zambom
1 parent fdd2a50b
Showing 4 changed files with 58 additions and 2 deletions Show diff stats
courses/permissions.py
courses/templates/course/view.html
courses/templatetags/custom_filters.py
courses/views.py
@@ -2,6 +2,19 @@ from rolepermissions.permissions import register_object_checker
 from amadeus.roles import SystemAdmin
 @register_object_checker()
+def view_topic(role, user, topic):
+    if (role == SystemAdmin):
+        return True
+
+    if (user in topic.subject.course.professors.all() and user in topic.subject.professors.all()):
+        return True
+
+    if (user in topic.subject.course.students.all() and user in topic.subject.students.all()):
+        return True
+
+    return False
+
+@register_object_checker()
 def edit_topic(role, user, topic):
     if (role == SystemAdmin):
         return True
@@ -12,6 +25,19 @@ def edit_topic(role, user, topic):
     return False
 @register_object_checker()
+def view_subject(role, user, subject):
+    if (role == SystemAdmin):
+        return True
+
+    if (user in subject.course.professors.all() and user in subject.professors.all()):
+        return True
+
+    if (user in subject.course.students.all() and user in subject.students.all()):
+        return True
+
+    return False
+
+@register_object_checker()
 def edit_subject(role, user, subject):
     if (role == SystemAdmin):
         return True
@@ -157,7 +157,7 @@
                     <p><b>{% trans "End" %}: </b>{{subject.end_date}}</p>
                   </div>
                 </div>
-                <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user|show_subject_subscribe:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
+                <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user|hide_subscribe_view_btn:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
             </div>
         </div>
       {% endfor %}
@@ -209,7 +209,7 @@
                     <p><b>{% trans "End" %}: </b>{{subject.end_date}}</p>
                   </div>
                 </div>
-                <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user|show_subject_subscribe:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
+                <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user|hide_subscribe_view_btn:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
             </div>
         </div>
             {% endif %}
@@ -4,6 +4,19 @@ from rolepermissions.verifications import has_role
 register = template.Library()
 @register.filter
+def hide_subscribe_view_btn(user, subject):
+	if not user is None:
+		if user.is_authenticated:
+			if has_role(user, 'student') and not user.is_staff:
+				if user in subject.course.students.all():
+					if not user in subject.students.all():
+						return True
+				else:
+					return True
+
+	return False
+
+@register.filter
 def show_subject_subscribe(user, subject):
 	if not user is None:
 		if user.is_authenticated:
@@ -210,6 +210,7 @@ class CourseView( NotificationMixin, generic.DetailView):
 		courses = None
 		context = super(CourseView, self).get_context_data(**kwargs)
 		course = get_object_or_404(Course, slug = self.kwargs.get('slug'))
+
 		if has_role(self.request.user,'system_admin'):
 			subjects = course.subjects.all()
 		elif has_role(self.request.user,'professor'):
@@ -381,6 +382,14 @@ class SubjectsView(LoginRequiredMixin, generic.ListView):
 	context_object_name = 'subjects'
 	model = Subject
+	def dispatch(self, *args, **kwargs):
+		subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
+
+		if(not has_object_permission('view_subject', self.request.user, subject)):
+			return self.handle_no_permission()
+
+		return super(SubjectsView, self).dispatch(*args, **kwargs)
+
 	def get_queryset(self):
 		subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
 		course = subject.course
@@ -428,6 +437,14 @@ class TopicsView(LoginRequiredMixin, generic.ListView):
 	context_object_name = 'topics'
 	model = Topic
+	def dispatch(self, *args, **kwargs):
+		topic = get_object_or_404(Topic, slug = self.kwargs.get('slug'))
+
+		if(not has_object_permission('view_topic', self.request.user, topic)):
+			return self.handle_no_permission()
+
+		return super(TopicsView, self).dispatch(*args, **kwargs)
+
 	def get_queryset(self):
 		topic = get_object_or_404(Topic, slug = self.kwargs.get('slug'))
 		subject = topic.subject
	@@ -2,6 +2,19 @@ from rolepermissions.permissions import register_object_checker		@@ -2,6 +2,19 @@ from rolepermissions.permissions import register_object_checker
2	from amadeus.roles import SystemAdmin	2	from amadeus.roles import SystemAdmin
3		3
4	@register_object_checker()	4	@register_object_checker()
		5	+def view_topic(role, user, topic):
		6	+ if (role == SystemAdmin):
		7	+ return True
		8	+
		9	+ if (user in topic.subject.course.professors.all() and user in topic.subject.professors.all()):
		10	+ return True
		11	+
		12	+ if (user in topic.subject.course.students.all() and user in topic.subject.students.all()):
		13	+ return True
		14	+
		15	+ return False
		16	+
		17	+@register_object_checker()
5	def edit_topic(role, user, topic):	18	def edit_topic(role, user, topic):
6	if (role == SystemAdmin):	19	if (role == SystemAdmin):
7	return True	20	return True
	@@ -12,6 +25,19 @@ def edit_topic(role, user, topic):		@@ -12,6 +25,19 @@ def edit_topic(role, user, topic):
12	return False	25	return False
13		26
14	@register_object_checker()	27	@register_object_checker()
		28	+def view_subject(role, user, subject):
		29	+ if (role == SystemAdmin):
		30	+ return True
		31	+
		32	+ if (user in subject.course.professors.all() and user in subject.professors.all()):
		33	+ return True
		34	+
		35	+ if (user in subject.course.students.all() and user in subject.students.all()):
		36	+ return True
		37	+
		38	+ return False
		39	+
		40	+@register_object_checker()
15	def edit_subject(role, user, subject):	41	def edit_subject(role, user, subject):
16	if (role == SystemAdmin):	42	if (role == SystemAdmin):
17	return True	43	return True
	@@ -157,7 +157,7 @@		@@ -157,7 +157,7 @@
157	<p><b>{% trans "End" %}: </b>{{subject.end_date}}</p>	157	<p><b>{% trans "End" %}: </b>{{subject.end_date}}</p>
158	</div>	158	</div>
159	</div>	159	</div>
160	- <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user\|show_subject_subscribe:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>	160	+ <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user\|hide_subscribe_view_btn:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
161	</div>	161	</div>
162	</div>	162	</div>
163	{% endfor %}	163	{% endfor %}
	@@ -209,7 +209,7 @@		@@ -209,7 +209,7 @@
209	<p><b>{% trans "End" %}: </b>{{subject.end_date}}</p>	209	<p><b>{% trans "End" %}: </b>{{subject.end_date}}</p>
210	</div>	210	</div>
211	</div>	211	</div>
212	- <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user\|show_subject_subscribe:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>	212	+ <a href="{% url 'course:view_subject' subject.slug %}" class="btn btn-raised btn-default center-block view_btn" {% if user\|hide_subscribe_view_btn:subject %}style="display:none"{% endif %}>{% trans 'View Subject' %}<div class="ripple-container"></div></a>
213	</div>	213	</div>
214	</div>	214	</div>
215	{% endif %}	215	{% endif %}
	@@ -4,6 +4,19 @@ from rolepermissions.verifications import has_role		@@ -4,6 +4,19 @@ from rolepermissions.verifications import has_role
4	register = template.Library()	4	register = template.Library()
5		5
6	@register.filter	6	@register.filter
		7	+def hide_subscribe_view_btn(user, subject):
		8	+ if not user is None:
		9	+ if user.is_authenticated:
		10	+ if has_role(user, 'student') and not user.is_staff:
		11	+ if user in subject.course.students.all():
		12	+ if not user in subject.students.all():
		13	+ return True
		14	+ else:
		15	+ return True
		16	+
		17	+ return False
		18	+
		19	+@register.filter
7	def show_subject_subscribe(user, subject):	20	def show_subject_subscribe(user, subject):
8	if not user is None:	21	if not user is None:
9	if user.is_authenticated:	22	if user.is_authenticated:
	@@ -210,6 +210,7 @@ class CourseView( NotificationMixin, generic.DetailView):		@@ -210,6 +210,7 @@ class CourseView( NotificationMixin, generic.DetailView):
210	courses = None	210	courses = None
211	context = super(CourseView, self).get_context_data(**kwargs)	211	context = super(CourseView, self).get_context_data(**kwargs)
212	course = get_object_or_404(Course, slug = self.kwargs.get('slug'))	212	course = get_object_or_404(Course, slug = self.kwargs.get('slug'))
		213	+
213	if has_role(self.request.user,'system_admin'):	214	if has_role(self.request.user,'system_admin'):
214	subjects = course.subjects.all()	215	subjects = course.subjects.all()
215	elif has_role(self.request.user,'professor'):	216	elif has_role(self.request.user,'professor'):
	@@ -381,6 +382,14 @@ class SubjectsView(LoginRequiredMixin, generic.ListView):		@@ -381,6 +382,14 @@ class SubjectsView(LoginRequiredMixin, generic.ListView):
381	context_object_name = 'subjects'	382	context_object_name = 'subjects'
382	model = Subject	383	model = Subject
383		384
		385	+ def dispatch(self, args, *kwargs):
		386	+ subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
		387	+
		388	+ if(not has_object_permission('view_subject', self.request.user, subject)):
		389	+ return self.handle_no_permission()
		390	+
		391	+ return super(SubjectsView, self).dispatch(args, *kwargs)
		392	+
384	def get_queryset(self):	393	def get_queryset(self):
385	subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))	394	subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
386	course = subject.course	395	course = subject.course
	@@ -428,6 +437,14 @@ class TopicsView(LoginRequiredMixin, generic.ListView):		@@ -428,6 +437,14 @@ class TopicsView(LoginRequiredMixin, generic.ListView):
428	context_object_name = 'topics'	437	context_object_name = 'topics'
429	model = Topic	438	model = Topic
430		439
		440	+ def dispatch(self, args, *kwargs):
		441	+ topic = get_object_or_404(Topic, slug = self.kwargs.get('slug'))
		442	+
		443	+ if(not has_object_permission('view_topic', self.request.user, topic)):
		444	+ return self.handle_no_permission()
		445	+
		446	+ return super(TopicsView, self).dispatch(args, *kwargs)
		447	+
431	def get_queryset(self):	448	def get_queryset(self):
432	topic = get_object_or_404(Topic, slug = self.kwargs.get('slug'))	449	topic = get_object_or_404(Topic, slug = self.kwargs.get('slug'))
433	subject = topic.subject	450	subject = topic.subject