Commits

Kai Diefenbach committed 4ae866c

Protect all manage methods, which can reached from outside with permission 'core.manage_shop'. Added test to check this.

  • Participants
  • Parent commits 3a57a8b

Comments (0)

Files changed (18)

File lfs/cart/tests.py

         # Added product_1 two times to cart again
         add_to_cart(request)
         response = added_to_cart_items(request)
-        self.failIf(response.find("Total: 40,00 EUR") == -1)
+        self.failIf(response.find("Total: 40,00 EUR") == -1)

File lfs/checkout/views.py

     cart_costs = cart_utils.get_cart_costs(request, cart)
     cart_price = cart_costs["price"] + shipping_costs["price"] + payment_costs["price"]
     cart_tax = cart_costs["tax"] + shipping_costs["tax"] + payment_costs["tax"]
-    
+
     discounts = lfs.discounts.utils.get_valid_discounts(request)
     for discount in discounts:
         cart_price = cart_price - discount["price"]
         "cart_price" : cart_price,
         "cart_tax" : cart_tax,
         "display_voucher" : display_voucher,
-        "discounts" : discounts,        
+        "discounts" : discounts,
         "voucher_value" : voucher_value,
         "voucher_tax" : voucher_tax,
         "shipping_price" : shipping_costs["price"],
     customer = customer_utils.get_or_create_customer(request)
     if request.method == "POST":
         form = checkout_form(request.POST)
-        
+
         toc = True
-                
+
         if shop.confirm_toc:
             if not request.POST.has_key("confirm_toc"):
                 toc = False
 
     lfs.shipping.utils.update_to_valid_shipping_method(request, customer)
     lfs.payment.utils.update_to_valid_payment_method(request, customer)
-    customer.save()
+    customer.save()

File lfs/core/tests.py

 from lfs.checkout.tests import *
 
 # django imports
+from django.contrib.auth.models import AnonymousUser
 from django.contrib.auth.models import User
 from django.contrib.sessions.backends.file import SessionStore
 from django.core.urlresolvers import reverse
 from lfs.tests.utils import RequestFactory
 import lfs.core.utils
 
+
 class ShopTestCase(TestCase):
     """Tests the views of the lfs.catalog.
     """
     fixtures = ['lfs_shop.xml']
-    
+
     def test_shop_defaults(self):
         """Tests the shop values right after creation of an instance
         """
         shop = Shop.objects.get(pk=1)
-        
+
         self.assertEqual(shop.name, "LFS")
         self.assertEqual(shop.shop_owner, "John Doe")
         self.assertEqual(shop.product_cols, 1)
         self.assertEqual(shop.ga_ecommerce_tracking, False)
         self.assertEqual(shop.default_country.name, "Deutschland")
         self.assertEqual(shop.get_default_country().name, "Deutschland")
-    
+
     def test_from_email(self):
         """
         """
-        shop = lfs.core.utils.get_default_shop()        
+        shop = lfs.core.utils.get_default_shop()
 
         shop.from_email = "john@doe.com"
         self.assertEqual(shop.from_email, "john@doe.com")
-        
+
     def test_get_notification_emails(self):
         """
         """
-        shop = lfs.core.utils.get_default_shop()        
+        shop = lfs.core.utils.get_default_shop()
 
-        shop.notification_emails = "john@doe.com, jane@doe.com, baby@doe.com"        
+        shop.notification_emails = "john@doe.com, jane@doe.com, baby@doe.com"
 
         self.assertEqual(
-            shop.get_notification_emails(), 
+            shop.get_notification_emails(),
             ["john@doe.com", "jane@doe.com", "baby@doe.com"])
 
         shop.notification_emails = "john@doe.com\njane@doe.com\nbaby@doe.com"
         self.assertEqual(
-            shop.get_notification_emails(), 
+            shop.get_notification_emails(),
             ["john@doe.com", "jane@doe.com", "baby@doe.com"])
 
         shop.notification_emails = "john@doe.com\r\njane@doe.com\r\nbaby@doe.com"
         self.assertEqual(
-            shop.get_notification_emails(), 
+            shop.get_notification_emails(),
             ["john@doe.com", "jane@doe.com", "baby@doe.com"])
 
         shop.notification_emails = "john@doe.com\n\rjane@doe.com\n\rbaby@doe.com"
         self.assertEqual(
-            shop.get_notification_emails(), 
+            shop.get_notification_emails(),
             ["john@doe.com", "jane@doe.com", "baby@doe.com"])
 
         shop.notification_emails = "john@doe.com,,,,\n\n\n\njane@doe.com"
         self.assertEqual(
-            shop.get_notification_emails(), 
+            shop.get_notification_emails(),
             ["john@doe.com", "jane@doe.com"])
 
 class TagsTestCase(TestCase):
         shop.ga_site_tracking = False
         shop.ga_ecommerce_tracking = False
         shop.save()
-        
+
         template = get_template_from_string(
             """{% load lfs_tags %}{% google_analytics_tracking %}""")
 
-        content = template.render(Context())        
+        content = template.render(Context())
         self.failIf(content.find("pageTracker") != -1)
 
         # Enter a google_analytics_id
         shop.google_analytics_id="UA-XXXXXXXXXX"
         shop.save()
-        
+
         # But this is not enough
-        content = template.render(Context())        
+        content = template.render(Context())
         self.failIf(content.find("pageTracker") != -1)
-                
+
         # It has to be activated first
         shop.ga_site_tracking = True
         shop.save()
         # Now it works and "pageTracker" is found
         content = template.render(Context())
         self.failIf(content.find("pageTracker") == -1)
-                
+
     def test_ga_ecommerce_tracking(self):
         """
         """
         shop.ga_site_tracking = False
         shop.ga_ecommerce_tracking = False
         shop.save()
-        
+
         session = SessionStore()
-        
+
         rf = RequestFactory()
         request = rf.get('/')
         request.session = session
-        
+
         template = get_template_from_string(
-            """{% load lfs_tags %}{% google_analytics_ecommerce %}""")            
-            
-        content = template.render(Context({"request" : request}))        
+            """{% load lfs_tags %}{% google_analytics_ecommerce %}""")
+
+        content = template.render(Context({"request" : request}))
         self.failIf(content.find("pageTracker") != -1)
-        
+
         # Enter a google_analytics_id
         shop.google_analytics_id="UA-XXXXXXXXXX"
         shop.save()
-        
+
         # But this is not enough
-        content = template.render(Context({"request" : request}))        
+        content = template.render(Context({"request" : request}))
         self.failIf(content.find("pageTracker") != -1)
-        
+
         # It has to be activated first
         shop.ga_ecommerce_tracking = True
         shop.save()
-        
+
         # But this is still not enough
-        content = template.render(Context({"request" : request}))        
+        content = template.render(Context({"request" : request}))
         self.failIf(content.find("pageTracker") != -1)
-        
+
         # There has to be an order within the session
         session["order"] = Order()
-        
+
         # Now it works and "pageTracker" is found
         content = template.render(Context({"request" : request}))
-        self.failIf(content.find("pageTracker") == -1)
+        self.failIf(content.find("pageTracker") == -1)
+
+
+class ManageURLsTestCase(TestCase):
+    def test_mananage_urls_anonymous(self):
+        """Tests that all manage urls cannot accessed by anonymous user.
+        """
+        rf = RequestFactory()
+        request = rf.get("/")
+        request.user = AnonymousUser()
+
+        from lfs.manage.urls import urlpatterns
+        for url in urlpatterns:
+            result = url.callback(request)
+            self.failUnless(result["Location"].startswith("/login/?next=/"))

File lfs/manage/urls.py

 from django.conf.urls.defaults import *
 from django.views.generic.simple import direct_to_template
 
-urlpatterns = patterns('django.views.generic.simple',
-    (r'^products-new', 'direct_to_template', { 'template': 'manage/new/product.html' }),
-)
-
 # General
-urlpatterns += patterns('lfs.manage.views',
+urlpatterns = patterns('lfs.manage.views',
     url(r'^$', "dashboard", name="lfs_manage_dashboard"),
 )
 
     url(r'^save-shop-property-step-type/(?P<property_id>\d*)', "save_step_type", name="lfs_save_shop_property_step_type"),
     url(r'^delete-shop-property-option/(?P<id>\d*)', "delete_option", name="lfs_delete_shop_property_option"),
     url(r'^delete-shop-property-step/(?P<id>\d*)', "delete_step", name="lfs_delete_shop_property_step"),
-    
+
     url(r'^save-number-field-validators/(?P<property_id>\d*)', "save_number_field_validators", name="lfs_save_number_field_validators"),
     url(r'^save-select-field/(?P<property_id>\d*)', "save_select_field", name="lfs_save_select_field"),
 
-    
+
 )
 
 # Product properties
     url(r'^manage-static-block/(?P<id>\d*)$', "manage_static_block", name="lfs_manage_static_block"),
     url(r'^add_files/(?P<id>[-\w]*)', "add_files", name="lfs_add_files_to_static_block"),
     url(r'^update_files/(?P<id>[-\w]*)', "update_files", name="lfs_manage_update_files_sb"),
-    url(r'^reload_files/(?P<id>[-\w]*)', "reload_files", name="lfs_reload_files"),    
+    url(r'^reload_files/(?P<id>[-\w]*)', "reload_files", name="lfs_reload_files"),
 )
 
 # Reviews
     url(r'^set-category-levels$', "set_category_levels", name="lfs_set_category_levels"),
     url(r'^update-effective-price$', "update_effective_price", name="lfs_update_effective_price"),
     url(r'^reindex-topseller$', "reindex_topseller", name="lfs_reindex_topseller"),
-)
+)

File lfs/manage/views/carts.py

         "carts_inline" : carts_inline(request, as_string=True),
     }))
 
+
+@permission_required("core.manage_shop", login_url="/login/")
 def carts_inline(request, as_string=False, template_name="manage/cart/carts_inline.html"):
     """Displays carts overview.
     """
         "selectable_carts_inline" : selectable_carts_inline(request, cart_id, as_string=True),
     }));
 
+@permission_required("core.manage_shop", login_url="/login/")
 def cart_inline(request, cart_id, as_string=False, template_name="manage/cart/cart_inline.html"):
     """Displays cart with provided cart id.
     """
         "start" : cart_filters.get("start", ""),
         "end" : cart_filters.get("end", ""),
     }))
-    
+
     if as_string:
         return result
     else:
 
         return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def selectable_carts_inline(request, cart_id=0, as_string=False,
     template_name="manage/cart/selectable_carts_inline.html"):
     """Display selectable carts.
 
         return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_cart_filters(request):
     """Sets cart filters given by passed request.
     """
 
     return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_cart_filters_date(request):
     """Sets the date filter by given short cut link
     """
 
     return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def reset_cart_filters(request):
     """Resets all cart filters.
     """
 
     carts = carts.filter(modification_date__range=(s, e))
 
-    return carts
+    return carts

File lfs/manage/views/customer.py

         "selectable_customers_inline" : selectable_customers_inline(request, customer_id, as_string=True),
     }));
 
+@permission_required("core.manage_shop", login_url="/login/")
 def customer_inline(request, customer_id, as_string=False, template_name="manage/customer/customer_inline.html"):
     """Displays customer with provided customer id.
     """
 def customers_inline(request, as_string=False, template_name="manage/customer/customers_inline.html"):
     """Displays carts overview.
     """
-    customer_filters = request.session.get("customer-filters", {})    
+    customer_filters = request.session.get("customer-filters", {})
     ordering = request.session.get("customer-ordering", "id")
-    
+
     temp = _get_filtered_customers(request, customer_filters)
 
     paginator = Paginator(temp, 30)
 
         return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def selectable_customers_inline(request, customer_id=0, as_string=False,
     template_name="manage/customer/selectable_customers_inline.html"):
     """Display selectable customers.
 
         return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_ordering(request, ordering):
     """Sets customer ordering given by passed request.
     """
         ordering = "selected_invoice_address__firstname"
     elif ordering == "email":
         ordering = "selected_invoice_address__email"
-        
+
     if ordering == request.session.get("customer-ordering"):
         if request.session.get("customer-ordering-order") == "":
             request.session["customer-ordering-order"] = "-"
     }, cls = LazyEncoder)
 
     return HttpResponse(result)
-    
+
+@permission_required("core.manage_shop", login_url="/login/")
 def set_customer_filters(request):
     """Sets customer filters given by passed request.
     """
 
     return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def reset_customer_filters(request):
     """Resets all customer filters.
     """
     """
     customer_ordering = request.session.get("customer-ordering", "id")
     customer_ordering_order = request.session.get("customer-ordering-order", "")
-    
+
     customers = Customer.objects.exclude(selected_invoice_address=None)
-    
+
     # Filter
     name = customer_filters.get("name", "")
     if name != "":
         f  = Q(selected_invoice_address__lastname__icontains=name)
         f |= Q(selected_invoice_address__firstname__icontains=name)
         customers = customers.filter(f)
-    
+
     # Ordering
     customers = customers.order_by("%s%s" % (customer_ordering_order, customer_ordering))
 
-    return customers
+    return customers

File lfs/manage/views/delivery_times.py

         url = reverse("lfs_manage_delivery_time", kwargs={"id": delivery_time.id})
     except IndexError:
         url = reverse("lfs_add_delivery_time")
-    
+
     return HttpResponseRedirect(url)
 
 @permission_required("core.manage_shop", login_url="/login/")
             return lfs.core.utils.set_message_cookie(
                 url = reverse("lfs_manage_delivery_time", kwargs={"id" : id}),
                 msg = _(u"Delivery time has been saved."),
-            )            
+            )
     else:
         form = DeliveryTimeForm(instance=delivery_time)
-    
+
     return render_to_response(template_name, RequestContext(request, {
         "delivery_time" : delivery_time,
         "delivery_times" : DeliveryTime.objects.all(),
         "current_id" : int(id),
     }))
 
-@permission_required("core.manage_shop", login_url="/login/")    
+@permission_required("core.manage_shop", login_url="/login/")
 def add_delivery_time(request, template_name="manage/delivery_times/add.html"):
     """Provides a form to add a new delivery time.
     """
             return lfs.core.utils.set_message_cookie(
                 url = reverse("lfs_manage_delivery_time", kwargs={"id" : delivery_time.id}),
                 msg = _(u"Delivery time has been added."),
-            )            
+            )
 
     else:
         form = DeliveryTimeForm()
 
     return render_to_response(template_name, RequestContext(request, {
         "form" : form,
-        "delivery_times" : DeliveryTime.objects.all(),        
+        "delivery_times" : DeliveryTime.objects.all(),
     }))
 
 @permission_required("core.manage_shop", login_url="/login/")
     for product in Product.objects.filter(delivery_time=id):
         product.delivery_time = None
         product.save()
-    
+
     # Remove the delivery time from all products order_time
     for product in Product.objects.filter(order_time=id):
         product.order_time = None
         product.save()
-    
+
     delivery_time = get_object_or_404(DeliveryTime, pk=id)
     delivery_time.delete()
 
     return lfs.core.utils.set_message_cookie(
         url = reverse("lfs_manage_delivery_times"),
         msg = _(u"Delivery time has been deleted."),
-    )
+    )

File lfs/manage/views/export.py

 # django imports
+from django.contrib.auth.decorators import permission_required
 from django.core.urlresolvers import reverse
 from django.forms import ModelForm
 from django.http import HttpResponse
         model = Export
         exclude = ("products", )
 
+@permission_required("core.manage_shop", login_url="/login/")
 def manage_export(request, export_id, template_name="manage/export/export.html"):
     """The main view to display exports.
     """
         "export_id" : int(export_id),
     }))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def export_inline(request, export_id, category_id,
     template_name="manage/export/export_inline.html"):
     """Returns categories and products for given export id and category id.
     return HttpResponse(
         simplejson.dumps({ "html" : html }))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def add_export(request, template_name="manage/export/add_export.html"):
     """Form and logic to add a export.
     """
     }))
 
 # Actions
+@permission_required("core.manage_shop", login_url="/login/")
 def export_dispatcher(request):
     """Dispatches to the first export or to the add form.
     """
         return HttpResponseRedirect(
             reverse("lfs_export", kwargs = {"export_id" : export.id }))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def delete_export(request, export_id):
     """Deletes export with passed export id.
     """
 
     return HttpResponseRedirect(reverse("lfs_export_dispatcher"))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def edit_category(request, export_id, category_id):
     """Adds/Removes products of given category to given export.
     """
 
     return HttpResponse("")
 
+@permission_required("core.manage_shop", login_url="/login/")
 def edit_product(request, export_id, product_id):
     """Adds/Removes given product to given export.
     """
 
     return HttpResponse("")
 
+@permission_required("core.manage_shop", login_url="/login/")
 def export(request, slug):
     """Exports the export with passed export id.
     """
     module = lfs.core.utils.import_module(export.script.module)
     return getattr(module, export.script.method)(request, export)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def category_state(request, export_id, category_id):
     """Sets the state (klass and checking) for given category for given
     export.
         })
     )
 
+@permission_required("core.manage_shop", login_url="/login/")
 def update_category_variants_option(request, export_id, category_id):
     """Stores / deletes options for the variants handling of category with
     given id.
 
     return HttpResponse("")
 
+@permission_required("core.manage_shop", login_url="/login/")
 def update_data(request, export_id):
     """Updates data of export with given export id.
     """

File lfs/manage/views/manufacturer.py

 # django imports
 from django.core.urlresolvers import reverse
+from django.contrib.auth.decorators import permission_required
 from django.forms import ModelForm
 from django.http import HttpResponse
 from django.http import HttpResponseRedirect
     class Meta:
         model = Manufacturer
 
+@permission_required("core.manage_shop", login_url="/login/")
 def manage_manufacturer(request, manufacturer_id, template_name="manage/manufacturer/manufacturer.html"):
     """The main view to display factories.
     """
         "manufacturer_id" : int(manufacturer_id),
     }))
 
+
+@permission_required("core.manage_shop", login_url="/login/")
 def manufacturer_inline(request, manufacturer_id, category_id,
     template_name="manage/manufacturer/manufacturer_inline.html"):
     """Returns categories and products for given manufacturer id and category id.
     return HttpResponse(
         simplejson.dumps({ "html" : html }))
 
+
+@permission_required("core.manage_shop", login_url="/login/")
 def add_manufacturer(request, template_name="manage/manufacturer/add_manufacturer.html"):
     """Form and logic to add a manufacturer.
     """
         "selectable_manufacturers_inline" : selectable_manufacturers_inline(request, 0),
     }))
 
+
 # Actions
+@permission_required("core.manage_shop", login_url="/login/")
 def manufacturer_dispatcher(request):
     """Dispatches to the first manufacturer or to the add form.
     """
         return HttpResponseRedirect(
             reverse("lfs_manufacturer", kwargs = {"manufacturer_id" : manufacturer.id }))
 
+
+@permission_required("core.manage_shop", login_url="/login/")
 def delete_manufacturer(request, manufacturer_id):
     """Deletes Manufacturer with passed manufacturer id.
     """
 
     return HttpResponseRedirect(reverse("lfs_manufacturer_dispatcher"))
 
+
+@permission_required("core.manage_shop", login_url="/login/")
 def edit_category(request, manufacturer_id, category_id):
     """Adds/Removes products of given category to given manufacturer.
     """
 
     return HttpResponse("")
 
+
+@permission_required("core.manage_shop", login_url="/login/")
 def edit_product(request, manufacturer_id, product_id):
     """Adds/Removes given product to given manufacturer.
     """
 
     return HttpResponse("")
 
+
+@permission_required("core.manage_shop", login_url="/login/")
 def category_state(request, manufacturer_id, category_id):
     """Sets the state (klass and checking) for given category for given
     manufacturer.
         })
     )
 
+
+@permission_required("core.manage_shop", login_url="/login/")
 def update_data(request, manufacturer_id):
     """Updates data of manufacturer with given manufacturer id.
     """
 
     return HttpResponse(result)
 
+
 def _get_category_state(manufacturer, category):
     """Calculates the state for given category for given manufacturer.
     """

File lfs/manage/views/orders.py

         "orders_inline" : orders_inline(request, as_string=True),
     }))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def orders_inline(request, as_string=False, template_name="manage/order/orders_inline.html"):
     """Displays the orders. This is factored out in order to reload it via
     ajax request.
 
         return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_order_filters(request):
     """Sets order filters given by passed request.
     """
 
     return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_order_filters_date(request):
     """Sets the date filter by given short cut link
     """
 
     return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def reset_order_filters(request):
     """resets order filter.
     """
         msg = _(u"Order has been sent."),
     )
 
+@permission_required("core.manage_shop", login_url="/login/")
 def change_order_state(request):
     """Changes the state of an order, given by request post variables.
     """
 
     orders = orders.filter(created__range=(s, e))
 
-    return orders
+    return orders

File lfs/manage/views/product/images.py

         return HttpResponse(result)
 
 # Actions
-# @permission_required("core.manage_shop", login_url="/login/")
+@permission_required("core.manage_shop", login_url="/login/")
 def add_image(request, product_id):
     """Adds an image to product with passed product_id.
     """
     """Saves/deletes images with given ids (passed by request body).
     """
     product = lfs_get_object_or_404(Product, pk=product_id)
-    
+
     action = request.POST.get("action")
     if action == "delete":
         message = _(u"Images has been deleted.")

File lfs/manage/views/product/product.py

         model = Product
         fields = ("weight", "width", "height", "length", "manage_stock_amount",
                   "stock_amount", "manual_delivery_time", "delivery_time",
-                  "deliverable", "order_time", "ordered_at", "active_dimensions", 
+                  "deliverable", "order_time", "ordered_at", "active_dimensions",
                   "packing_unit", "packing_unit_unit", "active_packing_unit")
 
     def __init__(self, *args, **kwargs):
     }))
 
 # Actions
+@permission_required("core.manage_shop", login_url="/login/")
 def add_product(request, template_name="manage/product/add_product.html"):
     """Shows a simplified product form and adds a new product.
     """
 
     products = products.order_by("%s%s" % (product_ordering_order, product_ordering))
 
-    return products
+    return products

File lfs/manage/views/properties.py

         "form" : form,
     }))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def save_select_field(request, property_id):
     """
     """
         "number_field_form" : number_field_form,
     }))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def save_number_field_validators(request, property_id):
     """
     """
         "step_type_form" : step_type_form,
     }))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def save_step(request, property_id):
     """Save the steps of the property with given id.
     """
 
     return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def save_step_type(request, property_id):
     """Save the step type of the property with given id.
     """

File lfs/manage/views/property_groups/product_values.py

 def product_values(request, property_group_id, template_name="manage/properties/pg_product_values.html"):
     """Renders the products values part of the property groups management views.
     """
-    property_group = lfs_get_object_or_404(PropertyGroup, pk=property_group_id)    
+    property_group = lfs_get_object_or_404(PropertyGroup, pk=property_group_id)
     all_properties = property_group.properties.order_by("groupspropertiesrelation")
-    products = []    
+    products = []
     for product in property_group.products.all():
         properties = []
         for property in all_properties:
                 ppv = ProductPropertyValue.objects.get(property = property, product=product, type=1)
             except ProductPropertyValue.DoesNotExist:
                 value = ""
-            else: 
+            else:
                 value = ppv.value
-        
+
             # mark selected options "selected"
             options = []
-            for option in property.options.all():                
+            for option in property.options.all():
                 options.append({
                     "id"       : option.id,
                     "name"     : option.name,
                     "selected" : str(option.id) == value
                 })
-        
+
             properties.append({
                 "id"      : property.id,
                 "name"    : property.name,
             "name" : product.get_name(),
             "properties" : properties,
         })
-        
+
     return render_to_string(template_name, RequestContext(request, {
         "property_group" : property_group,
         "products" : products,
-        "all_properties" : all_properties, 
+        "all_properties" : all_properties,
     }))
-        
+
+@permission_required("core.manage_shop", login_url="/login/")
 def update_product_values(request, property_group_id):
     """Updates product property values.
     """
     property_group = lfs_get_object_or_404(PropertyGroup, pk=property_group_id)
     product_ids = request.POST.getlist("product-id")
     products = Product.objects.filter(pk__in=product_ids)
-    
+
     for product in products:
-        for property in property_group.properties.all():            
+        for property in property_group.properties.all():
             value = request.POST.get("property-%s-%s" % (product.id, property.id), "")
             if value != "":
                 try:
                     ppv = ProductPropertyValue.objects.get(property = property, product=product)
                 except ProductPropertyValue.DoesNotExist:
                     ProductPropertyValue.objects.create(property = property, product=product, value=value)
-                else: 
+                else:
                     ppv.value = value
                     ppv.save()
 
         "html" : product_values(request, property_group_id),
         "message" : _(u"Product Values have been saved.")
     }, cls=LazyEncoder);
-        
-    return HttpResponse(result)
+
+    return HttpResponse(result)

File lfs/manage/views/review.py

         "selectable_reviews_inline" : selectable_reviews_inline(request, review_id, as_string=True),
     }));
 
+@permission_required("core.manage_shop", login_url="/login/")
 def review_inline(request, review_id, as_string=False, template_name="manage/reviews/review_inline.html"):
     """Displays review with provided review id.
     """
 
         return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def selectable_reviews_inline(request, review_id=0, as_string=False,
     template_name="manage/reviews/selectable_reviews_inline.html"):
     """Display selectable reviews.
 
         return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_ordering(request, ordering):
     """Sets review ordering given by passed request.
     """
 
     return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_review_filters(request):
     """Sets review filters given by passed request.
     """
 
     return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def reset_review_filters(request):
     """Resets all review filters.
     """
 
     return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def delete_review(request, review_id):
     """Deletes review with passed review id.
     """
         review.delete()
 
     return set_message_cookie(
-        reverse("lfs_manage_reviews"), _(u"Review has been deleted."))    
+        reverse("lfs_manage_reviews"), _(u"Review has been deleted."))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def set_state(request, review_id):
     """Sets the state for given review.
     """
     active = review_filters.get("active", "")
     if active != "":
         reviews = reviews.filter(active=active)
-    
+
     # Ordering
     if review_ordering == "product":
         reviews = list(reviews)
             reviews.sort(lambda b, a: cmp(a.content.get_name(), b.content.get_name()))
         else:
             reviews.sort(lambda a, b: cmp(a.content.get_name(), b.content.get_name()))
-            
+
     else:
         reviews = reviews.order_by("%s%s" % (review_ordering_order, review_ordering))
 
-    return reviews
+    return reviews

File lfs/manage/views/shop.py

     def __init__(self, *args, **kwargs):
         super(ShopForm, self).__init__(*args, **kwargs)
         self.fields["image"].widget = LFSImageInput()
-    
+
     class Meta:
         model = Shop
-        fields = ("name", "shop_owner", "from_email", "notification_emails", 
+        fields = ("name", "shop_owner", "from_email", "notification_emails",
             "description", "image", "static_block", "checkout_type", "confirm_toc",
             "google_analytics_id", "ga_site_tracking", "ga_ecommerce_tracking")
 
 
     class Meta:
         model = Shop
-        fields = ("product_cols", "product_rows", "category_cols", 
+        fields = ("product_cols", "product_rows", "category_cols",
             "default_country", "countries")
-    
+
 @permission_required("core.manage_shop", login_url="/login/")
 def manage_shop(request, template_name="manage/shop/shop.html"):
     """Displays the form to manage shop data.
     if request.method == "POST":
         form = ShopForm(instance=shop, data=request.POST, files=request.FILES)
         if form.is_valid():
-            form.save()            
+            form.save()
             return lfs.core.utils.set_message_cookie(
                 url = reverse("lfs_manage_shop"),
                 msg = _(u"Shop data has been saved."),
-            )            
+            )
     else:
         form = ShopForm(instance=shop)
-    
+
     return render_to_response(template_name, RequestContext(request, {
         "shop" : shop,
         "form" : form,
         "portlets" : portlets_inline(request, shop),
     }))
 
-@permission_required("core.manage_shop", login_url="/login/")    
+@permission_required("core.manage_shop", login_url="/login/")
 def default_values_part(request, template_name="manage/shop/default_values.html"):
     """Displays the default value part of the shop form.
     """
     shop = lfs_get_object_or_404(Shop, pk=1)
-    
+
     if request.method == "POST":
         form = ShopDefaultValuesForm(instance=shop, data=request.POST)
     else:
         form = ShopDefaultValuesForm(instance=shop)
-    
+
     return render_to_string(template_name, RequestContext(request, {
         "shop" : shop,
         "form" : form,
     }))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def save_default_values(request):
     """Saves the default value part
     """
     shop = lfs_get_object_or_404(Shop, pk=1)
     form = ShopDefaultValuesForm(instance=shop, data=request.POST)
-    
+
     if form.is_valid():
         shop = form.save()
         shop_changed.send(shop)
         message = _(u"Shop default values have been saved.")
     else:
         message = _(u"Please correct the indicated errors.")
-    
+
     result = simplejson.dumps({
         "html" : default_values_part(request),
         "message" : message
     }, cls = LazyEncoder)
-    
-    return HttpResponse(result)    
+
+    return HttpResponse(result)

File lfs/manage/views/static_blocks.py

         "static_block" : sb,
     }))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def update_files(request, id):
     """
     """
                 else:
                     file.position = value
                     file.save()
-                    
+
     for i, file in enumerate(static_block.files.all()):
         file.position = (i + 1) * 10
         file.save()
-    
+
     html = (
         ("#files", files(request, static_block)),
     )
-    
+
     result = simplejson.dumps({
         "html" : html,
         "message" : message,
 
     return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def reload_files(request, id):
     """
     """
 
     return HttpResponse(result)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def add_files(request, id):
     """Adds files to static block with passed id.
     """
     return lfs.core.utils.set_message_cookie(
         url = reverse("lfs_manage_static_blocks"),
         msg = _(u"Static block has been deleted."),
-    )
+    )

File lfs/manage/views/voucher.py

         self.fields["tax"].choices = taxes
 
 # Parts
+@permission_required("core.manage_shop", login_url="/login/")
 def voucher_group(request, id, template_name="manage/voucher/voucher_group.html"):
     """Main view to display a voucher group.
     """
     return HttpResponse(
         simplejson.dumps({ "html" : html }, cls = LazyEncoder))
 
+
+@permission_required("core.manage_shop", login_url="/login/")
 def manage_vouchers(request):
     """Redirects to the first voucher group or to the add voucher form.
     """
 
     return HttpResponseRedirect(url)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def add_vouchers(request, group_id):
     """
     """
         (("#vouchers", vouchers_tab(request, voucher_group)), ),
         msg)
 
+@permission_required("core.manage_shop", login_url="/login/")
 def delete_vouchers(request, group_id):
     """Deletes checked vouchers.
     """
         (("#vouchers", vouchers_tab(request, voucher_group, deleted=True)), ),
         _(u"Vouchers have been deleted."))
 
+
+@permission_required("core.manage_shop", login_url="/login/")
 def add_voucher_group(request, template_name="manage/voucher/add_voucher_group.html"):
     """Adds a voucher group
     """
         "voucher_groups" : VoucherGroup.objects.all(),
     }))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def save_voucher_group_data(request, id):
     """Saves the data of the voucher group with passed id.
     """
         ("#navigation", navigation(request, voucher_group)),),
         _(u"Voucher data has been save."))
 
+@permission_required("core.manage_shop", login_url="/login/")
 def delete_voucher_group(request, id):
     """Deletes voucher group with given id and all assigned vouchers.
     """
         return lfs.core.utils.set_message_cookie(
             url = reverse("lfs_manage_vouchers"),
             msg = _(u"Voucher group and assigned vouchers have been deleted."),
-        )            
+        )
 
+@permission_required("core.manage_shop", login_url="/login/")
 def save_voucher_options(request):
     """Saves voucher options.
     """
 def _update_positions():
     for i, voucher_group in enumerate(VoucherGroup.objects.all()):
         voucher_group.position = (i+1)*10
-        voucher_group.save()
+        voucher_group.save()