# HG changeset patch # User Lennard de Rijk # Date 1249502408 -7200 # Node ID 054a2227249c1e8fcff88d0448d91205bdddf59f # Parent 16ba61efc10833d57ad6daa82749cd24e869db7f Added and enabled access check for viewing SurveyRecords. Note that viewing ProjectSurveys or ProjectGradingSurveys are still dev only. diff -r 16ba61efc108 -r 054a2227249c app/soc/views/helper/access.py --- a/app/soc/views/helper/access.py Wed Aug 05 16:52:08 2009 +0200 +++ b/app/soc/views/helper/access.py Wed Aug 05 22:00:08 2009 +0200 @@ -1579,6 +1579,43 @@ @denySidebar @allowDeveloper + def checkIsMySurveyRecord(self, django_args, survey_logic, id_field): + """Checks if the SurveyRecord given in the GET arguments as id_field is + from the current user. + + Args: + django_args: a dictionary with django's arguments + survey_logic: Survey Logic which contains the needed Record logic + id_field: name of the field in the GET dictionary that contains the Record ID. + + Raises: + AccesViolation if: + - There is no valid numeric record ID present in the GET dict + - There is no SurveyRecord with the found ID + - The SurveyRecord has not been taken by the current user + """ + + self.checkIsUser(django_args) + user_entity = self.user + + get_dict = django_args['GET'] + record_id = get_dict.get(id_field) + + if not record_id or not record_id.isdigit(): + raise out_of_band.AccessViolation( + message_fmt='No valid numeric record ID given') + else: + record_id = int(record_id) + + record_logic = survey_logic.getRecordLogic() + record_entity = record_logic.getFromIDOr404(record_id) + + if record_entity.user.key() != user_entity.key(): + raise out_of_band.AccessViolation( + message_fmt='This is not your SurveyRecord') + + @denySidebar + @allowDeveloper def checkIsSurveyWritable(self, django_args, survey_logic, key_name_field=None): """Checks whether a survey is writable. diff -r 16ba61efc108 -r 054a2227249c app/soc/views/models/survey.py --- a/app/soc/views/models/survey.py Wed Aug 05 16:52:08 2009 +0200 +++ b/app/soc/views/models/survey.py Wed Aug 05 22:00:08 2009 +0200 @@ -106,7 +106,10 @@ rights['delete'] = ['checkIsDeveloper'] # TODO: fix deletion of Surveys rights['list'] = ['checkDocumentList'] rights['pick'] = ['checkDocumentPick'] - rights['record'] = ['checkIsDeveloper'] # TODO: proper access check + rights['record'] = [('checkHasAny', [ + [('checkIsSurveyReadable', [survey_logic]), + ('checkIsMySurveyRecord', [survey_logic, 'id'])] + ])] rights['results'] = ['checkIsDeveloper'] # TODO: proper access check rights['take'] = [('checkIsSurveyTakeable', survey_logic)]