--- a/app/soc/views/helper/access.py Sun Jan 25 00:01:19 2009 +0000
+++ b/app/soc/views/helper/access.py Sun Jan 25 00:02:41 2009 +0000
@@ -70,58 +70,54 @@
'Please <a href="%(sign_out)s">sign out</a> in order to view this page')
-def checkAccess(access_type, request, rights, args=None, kwargs=None):
+def checkAccess(access_type, rights, kwargs=None):
"""Runs all the defined checks for the specified type.
Args:
access_type: the type of request (such as 'list' or 'edit')
- request: the Django request object
rights: a dictionary containing access check functions
+ kwargs: a dictionary with django's arguments
Rights usage:
The rights dictionary is used to check if the current user is allowed
to view the page specified. The functions defined in this dictionary
- are always called with the django request object as argument. On any
- request, regardless of what type, the functions in the 'any_access' value
- are called. If the specified type is not in the rights dictionary, all
- the functions in the 'unspecified' value are called. When the specified
- type _is_ in the rights dictionary, all the functions in that access_type's
+ are always called with the provided kwargs dictionary as argument. On any
+ request, regardless of what type, the functions in the 'any_access' value
+ are called. If the specified type is not in the rights dictionary, all
+ the functions in the 'unspecified' value are called. When the specified
+ type _is_ in the rights dictionary, all the functions in that access_type's
value are called.
-
- Returns:
- True: If all the required access checks have been made successfully
- False: If a check failed, in this case self._response will contain
- the response provided by the failed access check.
"""
# Call each access checker
for check in rights['any_access']:
- check(request, args, kwargs)
+ check(kwargs)
if access_type not in rights:
for check in rights['unspecified']:
# No checks defined, so do the 'generic' checks and bail out
- check(request, args, kwargs)
+ check(kwargs)
return
for check in rights[access_type]:
- check(request, args, kwargs)
+ check(kwargs)
-def allow(request, args, kwargs):
+def allow(kwargs):
"""Never raises an alternate HTTP response. (an access no-op, basically).
Args:
- request: a Django HTTP request
+ kwargs: a dictionary with django's arguments
"""
+
return
-def deny(request, args, kwargs):
+def deny(kwargs):
"""Always raises an alternate HTTP response.
Args:
- request: a Django HTTP request
+ kwargs: a dictionary with django's arguments
Raises:
always raises AccessViolationResponse if called
@@ -129,63 +125,61 @@
import soc.views.helper.responses
- if kwargs.get('SIDEBAR_CALLING', False):
- context = {}
- else:
- context = soc.views.helper.responses.getUniversalContext(request)
-
+ kwargs.get('context', {})
context['title'] = 'Access denied'
raise out_of_band.AccessViolation(DEF_PAGE_DENIED_MSG, context=context)
-def checkIsLoggedIn(request, args, kwargs):
+def checkIsLoggedIn(kwargs):
"""Raises an alternate HTTP response if Google Account is not logged in.
Args:
- request: a Django HTTP request
+ kwargs: a dictionary with django's arguments
Raises:
AccessViolationResponse:
* if no Google Account is even logged in
"""
+
if users.get_current_user():
return
raise out_of_band.LoginRequest()
-def checkNotLoggedIn(request, args, kwargs):
+def checkNotLoggedIn(kwargs):
"""Raises an alternate HTTP response if Google Account is logged in.
Args:
- request: a Django HTTP request
+ kwargs: a dictionary with django's arguments
Raises:
AccessViolationResponse:
* if a Google Account is currently logged in
"""
+
if not users.get_current_user():
return
raise out_of_band.LoginRequest(message_fmt=DEF_LOGOUT_MSG_FMT)
-def checkIsUser(request, args, kwargs):
+def checkIsUser(kwargs):
"""Raises an alternate HTTP response if Google Account has no User entity.
Args:
- request: a Django HTTP request
+ kwargs: a dictionary with django's arguments
Raises:
AccessViolationResponse:
* if no User exists for the logged-in Google Account, or
* if no Google Account is logged in at all
"""
- checkIsLoggedIn(request, args, kwargs)
- user = user_logic.getForFields({'account': users.get_current_user()},
- unique=True)
+ checkIsLoggedIn(kwargs)
+
+ user = user_logic.getForCurrentAccount()
if user:
return
@@ -193,11 +187,11 @@
raise out_of_band.LoginRequest(message_fmt=DEF_NO_USER_LOGIN_MSG_FMT)
-def checkAgreesToSiteToS(request, args, kwargs):
+def checkAgreesToSiteToS(kwargs):
"""Raises an alternate HTTP response if User has not agreed to site-wide ToS.
Args:
- request: a Django HTTP request
+ kwargs: a dictionary with django's arguments
Raises:
AccessViolationResponse:
@@ -205,7 +199,8 @@
* if no User exists for the logged-in Google Account, or
* if no Google Account is logged in at all
"""
- checkIsUser(request, args, kwargs)
+
+ checkIsUser(kwargs)
user = user_logic.getForCurrentAccount()
@@ -220,11 +215,11 @@
raise out_of_band.LoginRequest(message_fmt=login_msg_fmt)
-def checkIsDeveloper(request, args, kwargs):
+def checkIsDeveloper(kwargs):
"""Raises an alternate HTTP response if Google Account is not a Developer.
Args:
- request: a Django HTTP request
+ kwargs: a dictionary with django's arguments
Raises:
AccessViolationResponse:
@@ -233,7 +228,7 @@
* if no Google Account is logged in at all
"""
- checkAgreesToSiteToS(request, args, kwargs)
+ checkAgreesToSiteToS(kwargs)
if accounts.isDeveloper(account=users.get_current_user()):
return
@@ -248,13 +243,14 @@
"""Raises an alternate HTTP response if the specified request does not exist
or if it's state is not group_accepted.
"""
- def wrapper(request, args, kwargs):
- checkAgreesToSiteToS(request, args, kwargs)
+
+ def wrapper(kwargs):
+ checkAgreesToSiteToS(kwargs)
user_entity = user_logic.getForCurrentAccount()
if user_entity.link_id != kwargs['link_id']:
- deny(request, args, kwargs)
+ deny(kwargs)
fields = {'link_id': kwargs['link_id'],
'scope_path': kwargs['scope_path'],
@@ -264,9 +260,10 @@
if request_entity.state != 'group_accepted':
# TODO tell the user that this request has not been accepted yet
- deny(request, args, kwargs)
+ deny(kwargs)
return
+
return wrapper
@@ -274,7 +271,8 @@
"""Raises an alternate HTTP response if the specified request does not exist
or if it's state is completed or denied.
"""
- def wrapper(request, args, kwargs):
+
+ def wrapper(kwargs):
fields = {'link_id': kwargs['link_id'],
'scope_path': kwargs['scope_path'],
@@ -284,23 +282,25 @@
if request_entity.state in ['completed', 'denied']:
# TODO tell the user that this request has been processed
- deny(request, args, kwargs)
+ deny(kwargs)
return
+
return wrapper
-def checkIsMyGroupAcceptedRequest(request, args, kwargs):
+def checkIsMyGroupAcceptedRequest(kwargs):
"""Raises an alternate HTTP response if the specified request does not exist
or if it's state is not group_accepted.
"""
- checkAgreesToSiteToS(request, args, kwargs)
+
+ checkAgreesToSiteToS(kwargs)
user_entity = user_logic.getForCurrentAccount()
if user_entity.link_id != kwargs['link_id']:
# not the current user's request
- return deny(request, args, kwargs)
+ return deny(kwargs)
fields = {'link_id': kwargs['link_id'],
'scope_path': kwargs['scope_path'],
@@ -310,15 +310,15 @@
if not request_entity:
# TODO return 404
- return deny(request, args, kwargs)
+ return deny(kwargs)
if request_entity.state != 'group_accepted':
- return deny(request, args, kwargs)
+ return deny(kwargs)
return
-def checkIsHost(request, args, kwargs):
+def checkIsHost(kwargs):
"""Raises an alternate HTTP response if Google Account has no Host entity.
Args:
@@ -334,15 +334,14 @@
try:
# if the current user is invited to create a host profile we allow access
- checkIsDeveloper(request, args, kwargs)
+ checkIsDeveloper(kwargs)
return
except out_of_band.Error:
pass
- checkAgreesToSiteToS(request, args, kwargs)
+ checkAgreesToSiteToS(kwargs)
- user = user_logic.getForFields({'account': users.get_current_user()},
- unique=True)
+ user = user_logic.getForCurrentAccount()
fields = {'user': user,
'state': 'active'}
@@ -358,7 +357,7 @@
raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-def checkIsHostForProgram(request, args, kwargs):
+def checkIsHostForProgram(kwargs):
"""Raises an alternate HTTP response if Google Account has no Host entity
for the specified program.
@@ -372,10 +371,10 @@
* if no User exists for the logged-in Google Account, or
* if the user is not even logged in
"""
- checkAgreesToSiteToS(request, args, kwargs)
- user = user_logic.getForFields({'account': users.get_current_user()},
- unique=True)
+ checkAgreesToSiteToS(kwargs)
+
+ user = user_logic.getForCurrentAccount()
fields = {'user': user,
'scope_path': kwargs['scope_path'],
@@ -392,12 +391,12 @@
raise out_of_band.LoginRequest(message_fmt=login_message_fmt)
-def checkIsClubAdminForClub(request, args, kwargs):
+def checkIsClubAdminForClub(kwargs):
"""Returns an alternate HTTP response if Google Account has no Club Admin
entity for the specified club.
Args:
- request: a Django HTTP request
+ kwargs: a dictionary with django's arguments
Raises:
AccessViolationResponse: if the required authorization is not met
@@ -410,12 +409,12 @@
try:
# if the current user is invited to create a host profile we allow access
- checkIsDeveloper(request, args, kwargs)
+ checkIsDeveloper(kwargs)
return
except out_of_band.Error:
pass
- checkAgreesToSiteToS(request, args, kwargs)
+ checkAgreesToSiteToS(kwargs)
user = user_logic.getForCurrentAccount()
@@ -444,7 +443,7 @@
entity for the specified Club.
Args:
- request: a Django HTTP request
+ kwargs: a dictionary with django's arguments
Raises:
AccessViolationResponse: if the required authorization is not met
@@ -455,15 +454,15 @@
should be returned by the calling view.
"""
- def wrapper(request, args, kwargs):
+ def wrapper(kwargs):
try:
# if the current user is a developer we allow access
- checkIsDeveloper(request, args, kwargs)
+ checkIsDeveloper(kwargs)
return
except out_of_band.Error:
pass
- checkAgreesToSiteToS(request, args, kwargs)
+ checkAgreesToSiteToS(kwargs)
user = user_logic.getForCurrentAccount()
@@ -478,17 +477,17 @@
return
# TODO(srabbelier) Make this give a proper error message
- deny(request, args, kwargs)
+ deny(kwargs)
return wrapper
-def checkIsMyNotification(request, args, kwargs):
+def checkIsMyNotification(kwargs):
"""Returns an alternate HTTP response if this request is for
a Notification belonging to the current user.
Args:
- request: a Django HTTP request
+ kwargs: a dictionary with django's arguments
Raises:
AccessViolationResponse: if the required authorization is not met
@@ -499,18 +498,12 @@
try:
# if the current user is a developer we allow access
- checkIsDeveloper(request, args, kwargs)
+ checkIsDeveloper(kwargs)
return
except out_of_band.Error:
pass
- checkAgreesToSiteToS(request, args, kwargs)
-
- # Mine the url for params
- try:
- callback, args, kwargs = urlresolvers.resolve(request.path)
- except Exception:
- deny(request, args, kwargs)
+ checkAgreesToSiteToS(kwargs)
properties = dicts.filter(kwargs, ['link_id', 'scope_path'])
@@ -524,7 +517,7 @@
return None
# TODO(ljvderijk) Make this give a proper error message
- deny(request, args, kwargs)
+ deny(kwargs)
def checkIsMyApplication(app_logic):
@@ -541,22 +534,22 @@
None if the current User is allowed to access this Application.
"""
- def wrapper(request, args, kwargs):
+ def wrapper(kwargs):
try:
# if the current user is a developer we allow access
- checkIsDeveloper(request, args, kwargs)
+ checkIsDeveloper(kwargs)
return
except out_of_band.Error:
pass
- checkAgreesToSiteToS(request, args, kwargs)
+ checkAgreesToSiteToS(kwargs)
properties = dicts.filter(kwargs, ['link_id'])
application = app_logic.logic.getForFields(properties, unique=True)
if not application:
- deny(request, args, kwargs)
+ deny(kwargs)
user = user_logic.getForCurrentAccount()
@@ -567,7 +560,7 @@
return None
# TODO(srabbelier) Make this give a proper error message
- deny(request, args, kwargs)
+ deny(kwargs)
return wrapper
@@ -583,10 +576,10 @@
None if the current User has no active role for the given role_logic.
"""
- def wrapper(request, args, kwargs):
+ def wrapper(kwargs):
try:
# if the current user is a developer we allow access
- checkIsDeveloper(request, args, kwargs)
+ checkIsDeveloper(kwargs)
return
except out_of_band.Error:
pass
@@ -595,7 +588,7 @@
if not user or user.link_id != kwargs['link_id']:
# not my role
- deny(request, args, kwargs)
+ deny(kwargs)
fields = {'link_id': kwargs['link_id'],
'scope_path': kwargs['scope_path']
@@ -605,19 +598,19 @@
if not role_entity:
# no role found
- deny(request, args, kwargs)
+ deny(kwargs)
if role_entity.state == 'active':
# this role exist and is active
return
else:
# this role is not active
- deny(request, args, kwargs)
+ deny(kwargs)
return wrapper
-def checkCanInvite(request, args, kwargs):
+def checkCanInvite(kwargs):
"""Checks to see if the current user can create an invite.
Note that if the current url is not in the default 'request' form
@@ -629,17 +622,11 @@
try:
# if the current user is a developer we allow access
- checkIsDeveloper(request, args, kwargs)
+ checkIsDeveloper(kwargs)
return
except out_of_band.Error:
pass
- # Mine the url for params
- try:
- callback, args, kwargs = urlresolvers.resolve(request.path)
- except Exception:
- deny(request, args, kwargs)
-
# Construct a new url by reshufling the kwargs
order = ['role', 'access_type', 'scope_path', 'link_id']
url_params = dicts.unzip(kwargs, order)
@@ -649,21 +636,21 @@
try:
callback, args, kwargs = urlresolvers.resolve(url)
except Exception:
- deny(request, args, kwargs)
+ deny(kwargs)
# Get the everything we need for the access check
params = callback.im_self.getParams()
access_type = kwargs['access_type']
# Perform the access check
- checkAccess(access_type, request, rights=params['rights'])
+ checkAccess(access_type, rights=params['rights'], kwargs=kwargs)
-def checkHasPickGetArgs(request, arg, kwargs):
+def checkHasPickGetArgs(kwargs):
"""Raises an alternate HTTP response if the request misses get args.
Args:
- request: a Django HTTP request
+ kwargs: a dictionary with django's arguments
Raises:
AccessViolationResponse:
@@ -671,22 +658,22 @@
* if field is not in request.GET
"""
- get_args = request.GET
+ get_args = kwargs.get('GET', {})
if 'continue' in get_args and 'field' in get_args:
return
#TODO(SRabbelier) inform user that return_url and field are required
- deny(request, arg, kwargs)
+ deny(kwargs)
-def checkIsDocumentPublic(request, args, kwargs):
+def checkIsDocumentPublic(kwargs):
"""Checks whether a document is public.
Args:
- request: a Django HTTP request
+ kwargs: a dictionary with django's arguments
"""
# TODO(srabbelier): A proper check needs to be done to see if the document
# is public or not, probably involving analysing it's scope or such.
- allow(request, args, kwargs)
+ allow(kwargs)