diff -r 054a2227249c -r f35f6f05c8c4 app/soc/views/helper/access.py --- a/app/soc/views/helper/access.py Wed Aug 05 22:00:08 2009 +0200 +++ b/app/soc/views/helper/access.py Thu Aug 06 10:48:44 2009 +0200 @@ -151,6 +151,12 @@ 'You are not allowed to take this Survey for the specified Student' ' Project.') +DEF_NO_VALID_RECORD_ID = ugettext('No valid numeric record ID given.') + +DEF_NOT_YOUR_RECORD = ugettext( + 'This is not your Survey Record. If you feel you should have access to ' + 'this page please notify the administrators.') + DEF_USER_ACCOUNT_INVALID_MSG_FMT = ugettext( 'The %(email)s account cannot be used with this site, for' ' one or more of the following reasons:' @@ -1603,7 +1609,7 @@ if not record_id or not record_id.isdigit(): raise out_of_band.AccessViolation( - message_fmt='No valid numeric record ID given') + message_fmt=DEF_NO_VALID_RECORD_ID) else: record_id = int(record_id) @@ -1612,7 +1618,7 @@ if record_entity.user.key() != user_entity.key(): raise out_of_band.AccessViolation( - message_fmt='This is not your SurveyRecord') + message_fmt=DEF_NOT_YOUR_RECORD) @denySidebar @allowDeveloper @@ -1731,7 +1737,7 @@ user_entity = self.user # get the project keyname from the GET dictionary - get_dict= django_args['GET'] + get_dict = django_args['GET'] key_name = get_dict.get(project_key_location) if not key_name: @@ -1753,7 +1759,8 @@ role_entity = project_entity.mentor # check if the role matches the current user - if role_entity.user.key() != user_entity.key(): + if role_entity.user.key() != user_entity.key() and ( + role_entity.status == 'active'): if role_name == 'student': raise out_of_band.AccessViolation( message_fmt=DEF_NOT_ALLOWED_PROJECT_FOR_SURVEY_MSG) @@ -1773,6 +1780,77 @@ return + @denySidebar + @allowDeveloper + def checkIsAllowedToViewProjectSurveyRecordAs( + self, django_args, survey_logic, role_name, record_key_location): + """Checks wether the current user is allowed to view the record given in + the GET data by the record_key_location. + + Args: + django_args: a dictionary with django's arguments + survey_logic: Survey Logic instance that belongs to the SurveyRecord + type in question + role_name: string containing either "student" or "mentor". Determines + which of the roles the within the project the current user should have + to view the evaluation results. + record_key_location: string containing the name of the GET param which + contains the id for the SurveyRecord to retrieve + + Raises: + AccessViolation if: + - No valid numeric Record ID is given in the POST data. + - No Record could be retrieved for the given Record ID. + - The current user has not taken the survey, is not the Student/Mentor + (depending on the role_name) and is not an Org Admin for the project + to which the SurveyRecord belongs. + """ + + if not role_name in ['mentor', 'student']: + raise InvalidArgumentError('role_name is not mentor or student') + + self.checkIsUser(django_args) + user_entity = self.user + + get_dict = django_args['GET'] + record_id = get_dict.get(record_key_location) + + if not record_id or not record_id.isdigit(): + raise out_of_band.AccessViolation( + message_fmt=DEF_NO_VALID_RECORD_ID) + else: + record_id = int(record_id) + + record_logic = survey_logic.getRecordLogic() + record_entity = record_logic.getFromIDOr404(record_id) + + if record_entity.user.key() == user_entity.key(): + # this record belongs to the current user + return + + if role_name == 'student': + role_entity = record_entity.project.student + elif role_name == 'mentor': + role_entity = record_entity.project.mentor + + if role_entity.user.key() == user_entity.key() and ( + role_entity.status == 'active'): + # this user has the role required + return + + fields = {'user': user_entity, + 'scope': record_entity.org, + 'status': 'active'} + admin_entity = org_admin_logic.getForFields(fields, unique=True) + + if admin_entity: + # this user is org admin for the retrieved record's project + return + + # The current user is no Org Admin, has not taken the Survey and is not + # the one responsible for taking this survey. + raise out_of_band.AccessViolation(message_fmt=DEF_NOT_YOUR_RECORD) + @allowSidebar @allowDeveloper def checkIsDocumentReadable(self, django_args, key_name_field=None):