Mercurial Mercurial > py_tasks_melange / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added and enabled access check for viewing SurveyRecords.
authorLennard de Rijk <ljvderijk@gmail.com>
Wed, 05 Aug 2009 22:00:08 +0200
changeset 2733 054a2227249c
parent 2732 16ba61efc108
child 2734 f35f6f05c8c4
Added and enabled access check for viewing SurveyRecords. Note that viewing ProjectSurveys or ProjectGradingSurveys are still dev only.
app/soc/views/helper/access.py file | annotate | diff | comparison | revisions
app/soc/views/models/survey.py file | annotate | diff | comparison | revisions 
--- a/app/soc/views/helper/access.py	Wed Aug 05 16:52:08 2009 +0200
+++ b/app/soc/views/helper/access.py	Wed Aug 05 22:00:08 2009 +0200
@@ -1579,6 +1579,43 @@
 
   @denySidebar
   @allowDeveloper
+  def checkIsMySurveyRecord(self, django_args, survey_logic, id_field):
+    """Checks if the SurveyRecord given in the GET arguments as id_field is
+    from the current user.
+
+    Args:
+      django_args: a dictionary with django's arguments
+      survey_logic: Survey Logic which contains the needed Record logic
+      id_field: name of the field in the GET dictionary that contains the Record ID.
+
+    Raises:
+      AccesViolation if:
+        - There is no valid numeric record ID present in the GET dict
+        - There is no SurveyRecord with the found ID
+        - The SurveyRecord has not been taken by the current user
+    """
+
+    self.checkIsUser(django_args)
+    user_entity = self.user
+
+    get_dict = django_args['GET']
+    record_id = get_dict.get(id_field)
+
+    if not record_id or not record_id.isdigit():
+      raise out_of_band.AccessViolation(
+          message_fmt='No valid numeric record ID given')
+    else:
+      record_id = int(record_id)
+
+    record_logic = survey_logic.getRecordLogic()
+    record_entity = record_logic.getFromIDOr404(record_id)
+
+    if record_entity.user.key() != user_entity.key():
+      raise out_of_band.AccessViolation(
+          message_fmt='This is not your SurveyRecord')
+
+  @denySidebar
+  @allowDeveloper
   def checkIsSurveyWritable(self, django_args, survey_logic,
                             key_name_field=None):
     """Checks whether a survey is writable.
--- a/app/soc/views/models/survey.py	Wed Aug 05 16:52:08 2009 +0200
+++ b/app/soc/views/models/survey.py	Wed Aug 05 22:00:08 2009 +0200
@@ -106,7 +106,10 @@
     rights['delete'] = ['checkIsDeveloper'] # TODO: fix deletion of Surveys
     rights['list'] = ['checkDocumentList']
     rights['pick'] = ['checkDocumentPick']
-    rights['record'] = ['checkIsDeveloper'] # TODO: proper access check
+    rights['record'] = [('checkHasAny', [
+        [('checkIsSurveyReadable', [survey_logic]),
+         ('checkIsMySurveyRecord', [survey_logic, 'id'])]
+        ])]
     rights['results'] = ['checkIsDeveloper'] # TODO: proper access check
     rights['take'] = [('checkIsSurveyTakeable', survey_logic)]
py_tasks_melange