# HG changeset patch # User Sverre Rabbelier # Date 1237752799 0 # Node ID d826f7aed8f2aca3c49b5d2535a2aefef4dc8180 # Parent dd0ba04ef58968417462fe61fc70bd8419fb47fd Make sure the user has restricted rights to create a new document This way users cannot create a document in a scope they should not have direct access to. Patch by: Sverre Rabbelier diff -r dd0ba04ef589 -r d826f7aed8f2 app/soc/logic/cleaning.py --- a/app/soc/logic/cleaning.py Sun Mar 22 18:05:10 2009 +0000 +++ b/app/soc/logic/cleaning.py Sun Mar 22 20:13:19 2009 +0000 @@ -612,7 +612,7 @@ return wrapper -def validate_document_acl(view): +def validate_document_acl(view, creating=False): """Validates that the document ACL settings are correct. """ @@ -632,36 +632,48 @@ raise forms.ValidationError( "Read access should be less strict than write access.") - validate_access(self, view, 'read_access') - validate_access(self, view, 'write_access') + params = view.getParams() + rights = params['rights'] + + user = user_logic.getForCurrentAccount() + + rights.setCurrentUser(user.account, user) + + prefix = self.cleaned_data['prefix'] + scope_path = self.cleaned_data['scope_path'] + + validate_access(self, view, rights, prefix, scope_path, 'read_access') + validate_access(self, view, rights, prefix, scope_path, 'write_access') + + if creating and not has_access(rights, 'restricted', scope_path, prefix): + raise forms.ValidationError( + "You do not have the required access to create this document.") return cleaned_data return wrapper -def validate_access(self, view, field): + +def has_access(rights, access_level, scope_path, prefix): + """Checks whether the current user has the required access. + """ + + checker = rights_logic.Checker(prefix) + roles = checker.getMembership(access_level) + + django_args = { + 'scope_path': scope_path, + 'prefix': prefix, + } + + return rights.hasMembership(roles, django_args) + +def validate_access(self, view, rights, prefix, scope_path, field): """Validates that the user has access to the ACL for the specified fields. """ access_level = self.cleaned_data[field] - prefix = self.cleaned_data['prefix'] - scope_path = self.cleaned_data['scope_path'] - params = view.getParams() - rights = params['rights'] - - user = user_logic.getForCurrentAccount() - - rights.setCurrentUser(user.account, user) - checker = rights_logic.Checker(prefix) - - roles = checker.getMembership(access_level) - - django_args = { - 'scope_path': scope_path, - 'prefix': prefix - } - - if not rights.hasMembership(roles, django_args): + if not has_access(rights, access_level, scope_path, prefix): self._errors[field] = ErrorList([DEF_NO_RIGHTS_FOR_ACL_MSG]) del self.cleaned_data[field] diff -r dd0ba04ef589 -r d826f7aed8f2 app/soc/views/models/document.py --- a/app/soc/views/models/document.py Sun Mar 22 18:05:10 2009 +0000 +++ b/app/soc/views/models/document.py Sun Mar 22 20:13:19 2009 +0000 @@ -98,7 +98,7 @@ 'clean_content': cleaning.clean_html_content('content'), 'clean_link_id': cleaning.clean_link_id('link_id'), 'clean_scope_path': cleaning.clean_scope_path('scope_path'), - 'clean': cleaning.validate_document_acl(self), + 'clean': cleaning.validate_document_acl(self, True), } new_params['extra_dynaexclude'] = ['author', 'created', 'home_for', 'modified_by', 'modified'] @@ -109,6 +109,7 @@ widget=widgets.ReadOnlyInput(), required=False), 'last_modified_by': forms.fields.CharField( widget=widgets.ReadOnlyInput(), required=False), + 'clean': cleaning.validate_document_acl(self), } params = dicts.merge(params, new_params)