# HG changeset patch # User Lennard de Rijk # Date 1246718648 -7200 # Node ID 9f1b7aba026f636027f56cf09417c3cb449bab52 # Parent d987dc40ea5d35089b56099c8951543d30fabe14 Added access checks for taking a Project(Grading)Survey. diff -r d987dc40ea5d -r 9f1b7aba026f app/soc/views/helper/access.py --- a/app/soc/views/helper/access.py Sat Jul 04 16:23:00 2009 +0200 +++ b/app/soc/views/helper/access.py Sat Jul 04 16:44:08 2009 +0200 @@ -147,8 +147,8 @@ DEF_GROUP_NOT_FOUND_MSG = ugettext( 'The requested Group can not be found.') -DEF_NO_ACTIVE_STUDENT_PROJECT_MSG = ugettext( - 'There is no active student project that would allow you to take this survey.') +DEF_NOT_ALLOWED_PROJECT_FOR_SURVEY_MSG = ugettext( + 'You are not allowed to take this Survey for the specified Student Project') DEF_USER_ACCOUNT_INVALID_MSG_FMT = ugettext( 'The %(email)s account cannot be used with this site, for' @@ -161,6 +161,22 @@ '') +class Error(Exception): + """Base class for all exceptions raised by this module. + """ + + pass + + +class InvalidArgumentError(Error): + """Raised when an invalid argument is passed to a method. + + For example, if an argument is None, but must always be non-False. + """ + + pass + + def allowSidebar(fun): """Decorator that allows access if the sidebar is calling. """ @@ -1635,10 +1651,40 @@ where the key for the project can be located. """ - # TODO(ljvderijk) implement this check - #raise out_of_band.AccessViolation(message_fmt=DEF_NO_ACTIVE_STUDENT_PROJECT_MSG) + if not role_name in ['mentor', 'student']: + raise InvalidArgumentError('role_name is not mentor or student') + + # get the project keyname from the GET dictionary + get_dict= django_args['GET'] + key_name = get_dict.get(project_key_location) + + if not key_name: + # no key name present so no need to deny access + return + + # retrieve the Student Project for the key + entity = student_project_logic.getFromKeyNameOr404(key_name) - self.allow(django_args) + # TODO(ljvderijk) change this to cope with multiple surveys for one project + # check if a survey can be conducted about this project + if entity.status != 'accepted': + raise out_of_band.AccessViolation( + message_fmt=DEF_NOT_ALLOWED_PROJECT_FOR_SURVEY_MSG) + + # get the correct role depending on the role_name + role_entity = getattr(entity, role_name) + user_entity = user_logic.getForCurrentAccount() + + # check if the role matches the current user + if (not user_entity) or (role_entity.user.key() != user_entity.key()): + raise out_of_band.AccessViolation( + message_fmt=DEF_NOT_ALLOWED_PROJECT_FOR_SURVEY_MSG) + + # check if the role is active + if role_entity.status != 'active': + raise out_of_band.AccessViolation(message_fmt=DEF_NEED_ROLE_MSG) + + return @allowSidebar @allowDeveloper diff -r d987dc40ea5d -r 9f1b7aba026f app/soc/views/models/grading_project_survey.py --- a/app/soc/views/models/grading_project_survey.py Sat Jul 04 16:23:00 2009 +0200 +++ b/app/soc/views/models/grading_project_survey.py Sat Jul 04 16:44:08 2009 +0200 @@ -55,8 +55,9 @@ rights['edit'] = [('checkIsSurveyWritable', grading_survey_logic)] rights['delete'] = ['checkIsDeveloper'] # TODO: fix deletion of Surveys rights['list'] = ['checkDocumentList'] - # TODO(ljvderijk) add Project check - rights['take'] = [('checkIsSurveyTakeable', grading_survey_logic)] + rights['take'] = [('checkIsSurveyTakeable', grading_survey_logic), + ('checkIsAllowedToTakeProjectSurveyAs', + [grading_survey_logic, 'mentor', 'project'])] new_params = {} new_params['logic'] = grading_survey_logic diff -r d987dc40ea5d -r 9f1b7aba026f app/soc/views/models/project_survey.py --- a/app/soc/views/models/project_survey.py Sat Jul 04 16:23:00 2009 +0200 +++ b/app/soc/views/models/project_survey.py Sat Jul 04 16:44:08 2009 +0200 @@ -52,8 +52,10 @@ rights['edit'] = [('checkIsSurveyWritable', project_survey_logic)] rights['delete'] = ['checkIsDeveloper'] # TODO: fix deletion of Surveys rights['list'] = ['checkDocumentList'] - # TODO(ljvderijk) add Project check - rights['take'] = [('checkIsSurveyTakeable', project_survey_logic)] + rights['take'] = [('checkIsSurveyTakeable', project_survey_logic), + ('checkIsAllowedToTakeProjectSurveyAs', + [project_survey_logic, 'student', 'project'])] + new_params = {} new_params['logic'] = project_survey_logic