48 |
48 |
49 DEF_NO_USER_LOGIN_MSG_FMT = ugettext_lazy( |
49 DEF_NO_USER_LOGIN_MSG_FMT = ugettext_lazy( |
50 'Please create <a href="/user/edit">User Profile</a>' |
50 'Please create <a href="/user/edit">User Profile</a>' |
51 ' in order to view this page.') |
51 ' in order to view this page.') |
52 |
52 |
|
53 DEF_AGREE_TO_TOS_MSG_FMT = ugettext_lazy( |
|
54 'You must agree to the <a href="%(tos_link)s">site-wide Terms of' |
|
55 ' Service</a> in your <a href="/user/edit">User Profile</a>' |
|
56 ' in order to view this page.') |
|
57 |
53 DEF_DEV_LOGOUT_LOGIN_MSG_FMT = ugettext_lazy( |
58 DEF_DEV_LOGOUT_LOGIN_MSG_FMT = ugettext_lazy( |
54 'Please <a href="%%(sign_out)s">sign out</a>' |
59 'Please <a href="%%(sign_out)s">sign out</a>' |
55 ' and <a href="%%(sign_in)s">sign in</a>' |
60 ' and <a href="%%(sign_in)s">sign in</a>' |
56 ' again as %(role)s to view this page.') |
61 ' again as %(role)s to view this page.') |
57 |
62 |
99 for check in rights[access_type]: |
104 for check in rights[access_type]: |
100 check(request, args, kwargs) |
105 check(request, args, kwargs) |
101 |
106 |
102 |
107 |
103 def allow(request, args, kwargs): |
108 def allow(request, args, kwargs): |
104 """Never returns an alternate HTTP response. |
109 """Never raises an alternate HTTP response. (an access no-op, basically) |
105 |
110 |
106 Args: |
111 Args: |
107 request: a Django HTTP request |
112 request: a Django HTTP request |
108 """ |
113 """ |
109 |
|
110 return |
114 return |
111 |
115 |
112 |
116 |
113 def deny(request, args, kwargs): |
117 def deny(request, args, kwargs): |
114 """Returns an alternate HTTP response. |
118 """Always raises an alternate HTTP response. |
115 |
119 |
116 Args: |
120 Args: |
117 request: a Django HTTP request |
121 request: a Django HTTP request |
118 |
122 |
119 Returns: |
123 Raises: |
120 a subclass of django.http.HttpResponse which contains the |
124 always raises AccessViolationResponse if called |
121 alternate response that should be returned by the calling view. |
125 """ |
122 """ |
|
123 |
|
124 context = {} |
126 context = {} |
125 context['title'] = 'Access denied' |
127 context['title'] = 'Access denied' |
126 |
128 |
127 raise out_of_band.AccessViolation(DEF_PAGE_DENIED_MSG, context=context) |
129 raise out_of_band.AccessViolation(DEF_PAGE_DENIED_MSG, context=context) |
128 |
130 |
129 |
131 |
130 def checkIsLoggedIn(request, args, kwargs): |
132 def checkIsLoggedIn(request, args, kwargs): |
131 """Returns an alternate HTTP response if Google Account is not logged in. |
133 """Raises an alternate HTTP response if Google Account is not logged in. |
132 |
134 |
133 Args: |
135 Args: |
134 request: a Django HTTP request |
136 request: a Django HTTP request |
135 |
137 |
136 Raises: |
138 Raises: |
137 AccessViolationResponse: if the required authorization is not met |
139 AccessViolationResponse: |
138 |
140 * if no Google Account is even logged in |
139 Returns: |
141 """ |
140 None if the user is logged in, or a subclass of |
|
141 django.http.HttpResponse which contains the alternate response |
|
142 that should be returned by the calling view. |
|
143 """ |
|
144 |
|
145 if users.get_current_user(): |
142 if users.get_current_user(): |
146 return |
143 return |
147 |
144 |
148 raise out_of_band.LoginRequest() |
145 raise out_of_band.LoginRequest() |
149 |
146 |
150 |
147 |
151 def checkNotLoggedIn(request, args, kwargs): |
148 def checkNotLoggedIn(request, args, kwargs): |
152 """Returns an alternate HTTP response if Google Account is not logged in. |
149 """Raises an alternate HTTP response if Google Account is logged in. |
153 |
150 |
154 Args: |
151 Args: |
155 request: a Django HTTP request |
152 request: a Django HTTP request |
156 |
153 |
157 Raises: |
154 Raises: |
158 AccessViolationResponse: if the required authorization is not met |
155 AccessViolationResponse: |
159 |
156 * if a Google Account is currently logged in |
160 Returns: |
157 """ |
161 None if the user is logged in, or a subclass of |
|
162 django.http.HttpResponse which contains the alternate response |
|
163 that should be returned by the calling view. |
|
164 """ |
|
165 |
|
166 if not users.get_current_user(): |
158 if not users.get_current_user(): |
167 return |
159 return |
168 |
160 |
169 raise out_of_band.LoginRequest(message_fmt=DEF_LOGOUT_MSG_FMT) |
161 raise out_of_band.LoginRequest(message_fmt=DEF_LOGOUT_MSG_FMT) |
170 |
162 |
171 |
163 |
172 def checkIsUser(request, args, kwargs): |
164 def checkIsUser(request, args, kwargs): |
173 """Returns an alternate HTTP response if Google Account has no User entity. |
165 """Raises an alternate HTTP response if Google Account has no User entity. |
174 |
166 |
175 Args: |
167 Args: |
176 request: a Django HTTP request |
168 request: a Django HTTP request |
177 |
169 |
178 Raises: |
170 Raises: |
179 AccessViolationResponse: if the required authorization is not met |
171 AccessViolationResponse: |
180 |
172 * if no User exists for the logged-in Google Account, or |
181 Returns: |
173 * if no Google Account is logged in at all |
182 None if User exists for a Google Account, or a subclass of |
174 """ |
183 django.http.HttpResponse which contains the alternate response |
|
184 should be returned by the calling view. |
|
185 """ |
|
186 |
|
187 checkIsLoggedIn(request, args, kwargs) |
175 checkIsLoggedIn(request, args, kwargs) |
188 |
176 |
189 user = user_logic.getForFields({'account': users.get_current_user()}, |
177 user = user_logic.getForFields({'account': users.get_current_user()}, |
190 unique=True) |
178 unique=True) |
191 |
179 |
193 return |
181 return |
194 |
182 |
195 raise out_of_band.LoginRequest(message_fmt=DEF_NO_USER_LOGIN_MSG_FMT) |
183 raise out_of_band.LoginRequest(message_fmt=DEF_NO_USER_LOGIN_MSG_FMT) |
196 |
184 |
197 |
185 |
|
186 def checkAgreesToSiteToS(request): |
|
187 """Raises an alternate HTTP response if User has not agreed to site-wide ToS. |
|
188 |
|
189 Args: |
|
190 request: a Django HTTP request |
|
191 |
|
192 Raises: |
|
193 AccessViolationResponse: |
|
194 * if User has not agreed to the site-wide ToS, or |
|
195 * if no User exists for the logged-in Google Account, or |
|
196 * if no Google Account is logged in at all |
|
197 """ |
|
198 checkIsUser(request) |
|
199 |
|
200 user = user_logic.getForFields({'account': users.get_current_user()}, |
|
201 unique=True) |
|
202 |
|
203 if user_logic.agreesToSiteToS(user): |
|
204 return |
|
205 |
|
206 # Would not reach this point of site-wide ToS did not exist, since |
|
207 # agreesToSiteToS() call above always returns True if no ToS is in effect. |
|
208 login_msg_fmt = DEF_AGREE_TO_TOS_MSG_FMT % { |
|
209 'tos_link': 'TODO(tlarsen): fix circular import first to make this work'} |
|
210 |
|
211 raise out_of_band.LoginRequest(message_fmt=login_msg_fmt) |
|
212 |
|
213 |
198 def checkIsDeveloper(request, args, kwargs): |
214 def checkIsDeveloper(request, args, kwargs): |
199 """Returns an alternate HTTP response if Google Account is not a Developer. |
215 """Raises an alternate HTTP response if Google Account is not a Developer. |
200 |
216 |
201 Args: |
217 Args: |
202 request: a Django HTTP request |
218 request: a Django HTTP request |
203 |
219 |
204 Raises: |
220 Raises: |
205 AccessViolationResponse: if the required authorization is not met |
221 AccessViolationResponse: |
206 |
222 * if User is not a Developer, or |
207 Returns: |
223 * if no User exists for the logged-in Google Account, or |
208 None if Google Account is logged in and logged-in user is a Developer, |
224 * if no Google Account is logged in at all |
209 or a subclass of django.http.HttpResponse which contains the alternate |
225 """ |
210 response should be returned by the calling view. |
|
211 """ |
|
212 |
|
213 checkIsUser(request, args, kwargs) |
226 checkIsUser(request, args, kwargs) |
214 |
227 |
215 if accounts.isDeveloper(account=users.get_current_user()): |
228 if accounts.isDeveloper(account=users.get_current_user()): |
216 return |
229 return |
217 |
230 |