diff -r 6180b32d990f -r ba3d399ec9be app/soc/views/helper/access.py --- a/app/soc/views/helper/access.py Fri Dec 12 00:35:51 2008 +0000 +++ b/app/soc/views/helper/access.py Fri Dec 12 23:28:18 2008 +0000 @@ -26,6 +26,7 @@ __authors__ = [ '"Todd Larsen" ', '"Sverre Rabbelier" ', + '"Lennard de Rijk" ', '"Pawel Solyga" ', ] @@ -38,6 +39,7 @@ from soc.logic import accounts from soc.logic import dicts from soc.logic.models import host as host_logic +from soc.logic.models import notification as notification_logic from soc.logic.models import user as user_logic from soc.logic.models import request as request_logic from soc.views import helper @@ -318,6 +320,54 @@ raise out_of_band.LoginRequest(message_fmt=login_message_fmt) +def checkIsMyNotification(request): + """Returns an alternate HTTP response if this request is for a Notification belonging + to the current user. + + Args: + request: a Django HTTP request + + Raises: + AccessViolationResponse: if the required authorization is not met + + Returns: + None if the current User is allowed to access this Notification. + """ + + try: + # if the current user is a developer we allow access + checkIsDeveloper(request) + return + except out_of_band.Error: + pass + + checkIsUser(request) + + splitpath = request.path.split('/') + splitpath = splitpath[1:] # cut off leading '' + + # get the notification scope (user link_id) from the request path + user_link_id = splitpath[2] + # get the notification link_id from the request path + notification_link_id = splitpath[3] + + properties = { + 'link_id': notification_link_id, + 'scope_path': user_link_id, + } + + notification = notification_logic.logic.getForFields(properties, unique=True) + + user = user_logic.logic.getForFields( + {'account': users.get_current_user()}, unique=True) + + # check if the key of the current user matches the key from the scope of the message + if user.key() == notification.scope.key(): + # access granted + return None + else: + # access denied + deny(request) def checkCanInvite(request): """Checks to see if the current user can create an invite @@ -360,7 +410,6 @@ # Perform the access check helper.access.checkAccess(access_type, request, rights=params['rights']) - def checkIsDocumentPublic(request): """Checks whether a document is public.