Ajustes no acesso unitario de subjects e topics (issues #35 e #36)

Jailson Dias
1 parent 86c2739f
Showing 2 changed files with 54 additions and 2 deletions Show diff stats
courses/permissions.py
courses/views.py
@@ -0,0 +1,32 @@
+from rolepermissions.permissions import register_object_checker
+from amadeus.roles import SystemAdmin
+
+@register_object_checker()
+def edit_topic(role, user, topic):
+    if (role == SystemAdmin):
+        return True
+
+    if (user == topic.owner):
+        return True
+
+    return False
+
+@register_object_checker()
+def edit_subject(role, user, subject):
+    if (role == SystemAdmin):
+        return True
+
+    if (user in subject.professors.all()):
+        return True
+
+    return False
+
+@register_object_checker()
+def delete_subject(role, user, subject):
+    if (role == SystemAdmin):
+        return True
+
+    if (user in subject.professors.all()):
+        return True
+
+    return False
@@ -10,6 +10,7 @@ from django.utils.translation import ugettext_lazy as _
 from slugify import slugify
 from rolepermissions.verifications import has_role
 from django.db.models import Q
+from rolepermissions.verifications import has_object_permission
  
 from .forms import CourseForm, CategoryForm, SubjectForm,TopicForm
 from .models import Course, Subject, Category,Topic
@@ -223,7 +224,7 @@ class SubjectsView(LoginRequiredMixin, generic.ListView):
  
 class CreateTopicView(LoginRequiredMixin, HasRoleMixin, NotificationMixin, generic.edit.CreateView):
  
-	allowed_roles = ['professor', 'system_admin','student']
+	allowed_roles = ['professor', 'system_admin']
 	login_url = reverse_lazy("core:home")
 	redirect_field_name = 'next'
 	template_name = 'topic/create.html'
@@ -254,12 +255,18 @@ class CreateTopicView(LoginRequiredMixin, HasRoleMixin, NotificationMixin, gener
  
 class UpdateTopicView(LoginRequiredMixin, HasRoleMixin, generic.UpdateView):
  
-	allowed_roles = ['professor', 'system_admin','student']
+	allowed_roles = ['professor','system_admin']
 	login_url = reverse_lazy("core:home")
 	redirect_field_name = 'next'
 	template_name = 'topic/update.html'
 	form_class = TopicForm
  
+	def dispatch(self, *args, **kwargs):
+		topic = get_object_or_404(Topic, slug = self.kwargs.get('slug'))
+		if(not has_object_permission('edit_topic', self.request.user, topic)):
+			return self.handle_no_permission()
+		return super(UpdateTopicView, self).dispatch(*args, **kwargs)
+
 	def get_object(self, queryset=None):
 	    return get_object_or_404(Topic, slug = self.kwargs.get('slug'))
  
@@ -315,6 +322,12 @@ class UpdateSubjectView(LoginRequiredMixin, HasRoleMixin, generic.UpdateView):
 	template_name = 'subject/update.html'
 	form_class = SubjectForm
  
+	def dispatch(self, *args, **kwargs):
+		subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
+		if(not has_object_permission('edit_subject', self.request.user, subject)):
+			return self.handle_no_permission()
+		return super(UpdateSubjectView, self).dispatch(*args, **kwargs)
+
 	def get_object(self, queryset=None):
 		context = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
 		return context
@@ -339,6 +352,13 @@ class DeleteSubjectView(LoginRequiredMixin, HasRoleMixin, generic.DeleteView):
 	model = Subject
 	template_name = 'subject/delete.html'
  
+	def dispatch(self, *args, **kwargs):
+		subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
+		if(not has_object_permission('delete_subject', self.request.user, subject)):
+			return self.handle_no_permission()
+		return super(DeleteSubjectView, self).dispatch(*args, **kwargs)
+
+
 	def get_context_data(self, **kwargs):
 		context = super(DeleteSubjectView, self).get_context_data(**kwargs)
 		context['course'] = self.object.course
...	...	@@ -0,0 +1,32 @@
	1	+from rolepermissions.permissions import register_object_checker
	2	+from amadeus.roles import SystemAdmin
	3	+
	4	+@register_object_checker()
	5	+def edit_topic(role, user, topic):
	6	+ if (role == SystemAdmin):
	7	+ return True
	8	+
	9	+ if (user == topic.owner):
	10	+ return True
	11	+
	12	+ return False
	13	+
	14	+@register_object_checker()
	15	+def edit_subject(role, user, subject):
	16	+ if (role == SystemAdmin):
	17	+ return True
	18	+
	19	+ if (user in subject.professors.all()):
	20	+ return True
	21	+
	22	+ return False
	23	+
	24	+@register_object_checker()
	25	+def delete_subject(role, user, subject):
	26	+ if (role == SystemAdmin):
	27	+ return True
	28	+
	29	+ if (user in subject.professors.all()):
	30	+ return True
	31	+
	32	+ return False
...	...
...	...	@@ -10,6 +10,7 @@ from django.utils.translation import ugettext_lazy as _
10	10	from slugify import slugify
11	11	from rolepermissions.verifications import has_role
12	12	from django.db.models import Q
	13	+from rolepermissions.verifications import has_object_permission
13	14
14	15	from .forms import CourseForm, CategoryForm, SubjectForm,TopicForm
15	16	from .models import Course, Subject, Category,Topic
...	...	@@ -223,7 +224,7 @@ class SubjectsView(LoginRequiredMixin, generic.ListView):
223	224
224	225	class CreateTopicView(LoginRequiredMixin, HasRoleMixin, NotificationMixin, generic.edit.CreateView):
225	226
226		- allowed_roles = ['professor', 'system_admin','student']
	227	+ allowed_roles = ['professor', 'system_admin']
227	228	login_url = reverse_lazy("core:home")
228	229	redirect_field_name = 'next'
229	230	template_name = 'topic/create.html'
...	...	@@ -254,12 +255,18 @@ class CreateTopicView(LoginRequiredMixin, HasRoleMixin, NotificationMixin, gener
254	255
255	256	class UpdateTopicView(LoginRequiredMixin, HasRoleMixin, generic.UpdateView):
256	257
257		- allowed_roles = ['professor', 'system_admin','student']
	258	+ allowed_roles = ['professor','system_admin']
258	259	login_url = reverse_lazy("core:home")
259	260	redirect_field_name = 'next'
260	261	template_name = 'topic/update.html'
261	262	form_class = TopicForm
262	263
	264	+ def dispatch(self, args, *kwargs):
	265	+ topic = get_object_or_404(Topic, slug = self.kwargs.get('slug'))
	266	+ if(not has_object_permission('edit_topic', self.request.user, topic)):
	267	+ return self.handle_no_permission()
	268	+ return super(UpdateTopicView, self).dispatch(args, *kwargs)
	269	+
263	270	def get_object(self, queryset=None):
264	271	return get_object_or_404(Topic, slug = self.kwargs.get('slug'))
265	272
...	...	@@ -315,6 +322,12 @@ class UpdateSubjectView(LoginRequiredMixin, HasRoleMixin, generic.UpdateView):
315	322	template_name = 'subject/update.html'
316	323	form_class = SubjectForm
317	324
	325	+ def dispatch(self, args, *kwargs):
	326	+ subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
	327	+ if(not has_object_permission('edit_subject', self.request.user, subject)):
	328	+ return self.handle_no_permission()
	329	+ return super(UpdateSubjectView, self).dispatch(args, *kwargs)
	330	+
318	331	def get_object(self, queryset=None):
319	332	context = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
320	333	return context
...	...	@@ -339,6 +352,13 @@ class DeleteSubjectView(LoginRequiredMixin, HasRoleMixin, generic.DeleteView):
339	352	model = Subject
340	353	template_name = 'subject/delete.html'
341	354
	355	+ def dispatch(self, args, *kwargs):
	356	+ subject = get_object_or_404(Subject, slug = self.kwargs.get('slug'))
	357	+ if(not has_object_permission('delete_subject', self.request.user, subject)):
	358	+ return self.handle_no_permission()
	359	+ return super(DeleteSubjectView, self).dispatch(args, *kwargs)
	360	+
	361	+
342	362	def get_context_data(self, **kwargs):
343	363	context = super(DeleteSubjectView, self).get_context_data(**kwargs)
344	364	context['course'] = self.object.course
...	...