Make sure the user has restricted rights to create a new document
This way users cannot create a document in a scope they should not
have direct access to.
Patch by: Sverre Rabbelier
--- a/app/soc/logic/cleaning.py Sun Mar 22 18:05:10 2009 +0000
+++ b/app/soc/logic/cleaning.py Sun Mar 22 20:13:19 2009 +0000
@@ -612,7 +612,7 @@
return wrapper
-def validate_document_acl(view):
+def validate_document_acl(view, creating=False):
"""Validates that the document ACL settings are correct.
"""
@@ -632,36 +632,48 @@
raise forms.ValidationError(
"Read access should be less strict than write access.")
- validate_access(self, view, 'read_access')
- validate_access(self, view, 'write_access')
+ params = view.getParams()
+ rights = params['rights']
+
+ user = user_logic.getForCurrentAccount()
+
+ rights.setCurrentUser(user.account, user)
+
+ prefix = self.cleaned_data['prefix']
+ scope_path = self.cleaned_data['scope_path']
+
+ validate_access(self, view, rights, prefix, scope_path, 'read_access')
+ validate_access(self, view, rights, prefix, scope_path, 'write_access')
+
+ if creating and not has_access(rights, 'restricted', scope_path, prefix):
+ raise forms.ValidationError(
+ "You do not have the required access to create this document.")
return cleaned_data
return wrapper
-def validate_access(self, view, field):
+
+def has_access(rights, access_level, scope_path, prefix):
+ """Checks whether the current user has the required access.
+ """
+
+ checker = rights_logic.Checker(prefix)
+ roles = checker.getMembership(access_level)
+
+ django_args = {
+ 'scope_path': scope_path,
+ 'prefix': prefix,
+ }
+
+ return rights.hasMembership(roles, django_args)
+
+def validate_access(self, view, rights, prefix, scope_path, field):
"""Validates that the user has access to the ACL for the specified fields.
"""
access_level = self.cleaned_data[field]
- prefix = self.cleaned_data['prefix']
- scope_path = self.cleaned_data['scope_path']
- params = view.getParams()
- rights = params['rights']
-
- user = user_logic.getForCurrentAccount()
-
- rights.setCurrentUser(user.account, user)
- checker = rights_logic.Checker(prefix)
-
- roles = checker.getMembership(access_level)
-
- django_args = {
- 'scope_path': scope_path,
- 'prefix': prefix
- }
-
- if not rights.hasMembership(roles, django_args):
+ if not has_access(rights, access_level, scope_path, prefix):
self._errors[field] = ErrorList([DEF_NO_RIGHTS_FOR_ACL_MSG])
del self.cleaned_data[field]
--- a/app/soc/views/models/document.py Sun Mar 22 18:05:10 2009 +0000
+++ b/app/soc/views/models/document.py Sun Mar 22 20:13:19 2009 +0000
@@ -98,7 +98,7 @@
'clean_content': cleaning.clean_html_content('content'),
'clean_link_id': cleaning.clean_link_id('link_id'),
'clean_scope_path': cleaning.clean_scope_path('scope_path'),
- 'clean': cleaning.validate_document_acl(self),
+ 'clean': cleaning.validate_document_acl(self, True),
}
new_params['extra_dynaexclude'] = ['author', 'created', 'home_for',
'modified_by', 'modified']
@@ -109,6 +109,7 @@
widget=widgets.ReadOnlyInput(), required=False),
'last_modified_by': forms.fields.CharField(
widget=widgets.ReadOnlyInput(), required=False),
+ 'clean': cleaning.validate_document_acl(self),
}
params = dicts.merge(params, new_params)