# HG changeset patch # User Sverre Rabbelier # Date 1234562050 0 # Node ID 9567bb475d6dcbe13b6c47546183cd0c8ca3e095 # Parent b736aed728c22a4040b18a1fc86ff0c48401681b Do access checks on the pick url for documents Patch by: Sverre Rabbelier diff -r b736aed728c2 -r 9567bb475d6d app/soc/views/helper/access.py --- a/app/soc/views/helper/access.py Fri Feb 13 21:53:42 2009 +0000 +++ b/app/soc/views/helper/access.py Fri Feb 13 21:54:10 2009 +0000 @@ -114,6 +114,9 @@ DEF_PAGE_DENIED_MSG = ugettext( 'Access to this page has been restricted') +DEF_PREFIX_NOT_IN_ARGS_MSG = ugettext( + 'A required GET url argument ("prefix") was not specified') + DEF_PAGE_INACTIVE_MSG = ugettext( 'This page is inactive at this time') @@ -938,6 +941,35 @@ self.checkMembership('write', document.prefix, document.write_access, django_args) + @allowDeveloper + def checkDocumentPick(self, django_args): + """Checks whether the user has access to the specified pick url. + + Will update the 'read_access' field of django_args['GET']. + """ + + get_args = django_args['GET'] + + # make mutable in order to inject the proper read_access filter + mutable = get_args._mutable + get_args._mutable = True + + if 'prefix' not in get_args: + raise out_of_band.AccessViolation(message_fmt=DEF_PREFIX_NOT_IN_ARGS_MSG) + + prefix = get_args['prefix'] + + checker = rights_logic.Checker(prefix) + memberships = checker.getMemberships() + + roles = [] + for key, value in memberships.iteritems(): + if self.hasMembership(value, django_args): + roles.append(key) + + get_args.setlist('read_access', roles) + get_args._mutable = mutable + def checkCanEditTimeline(self, django_args): """Checks whether this program's timeline may be edited. """ diff -r b736aed728c2 -r 9567bb475d6d app/soc/views/models/document.py --- a/app/soc/views/models/document.py Fri Feb 13 21:53:42 2009 +0000 +++ b/app/soc/views/models/document.py Fri Feb 13 21:54:10 2009 +0000 @@ -65,6 +65,7 @@ rights['create'] = ['checkIsUser'] rights['edit'] = ['checkIsDocumentWritable'] rights['delete'] = ['checkIsDocumentWritable'] + rights['pick'] = ['checkDocumentPick'] new_params = {} new_params['logic'] = document_logic