Commits

Luke Plant committed 9775b05

Added security for wiki

Involved refactoring some functions to new cciw.auth module

Comments (0)

Files changed (5)

+WIKI_USERS_GROUP_NAME = 'Wiki users'
+SECRETARY_GROUP_NAME = 'Secretaries'
+OFFICER_GROUP_NAME = 'Officers'
+LEADER_GROUP_NAME = 'Leaders'
+
+
+def is_camp_admin(user):
+    """
+    Returns True if the user is an admin for any camp, or has rights
+    for editing camp/officer/reference/CRB information
+    """
+    return (user.groups.filter(name=LEADER_GROUP_NAME) |
+            user.groups.filter(name=SECRETARY_GROUP_NAME)).exists() \
+        or user.camps_as_admin.exists() > 0
+
+
+def is_wiki_user(user):
+    return user.groups.filter(name=WIKI_USERS_GROUP_NAME).exists()
+
+
+def is_cciw_secretary(user):
+    return user.groups.filter(name=SECRETARY_GROUP_NAME).exists()
+
+
+def is_camp_officer(user):
+    return (user.groups.filter(name=OFFICER_GROUP_NAME) |
+            user.groups.filter(name=LEADER_GROUP_NAME)).exists()
+

cciw/middleware/auth.py

+from django.http import HttpResponseForbidden
+
+from cciw.auth import is_wiki_user
+
+class PrivateWiki(object):
+    # Make the wiki restricted to logged in users only.  Djiki does not provide
+    # this feature yet.
+    def process_request(self, request):
+        if request.path.startswith('/wiki/'):
+            if not (hasattr(request, 'user') and
+                    request.user.is_authenticated() and
+                    is_wiki_user(request.user)):
+                return HttpResponseForbidden("<h1>Forbidden</h1>"
+                                             "<p>You must be logged in to use this.")
+

cciw/officers/views.py

 from django.views.decorators.cache import never_cache
 from django.views.generic.base import TemplateView
 
+from cciw.auth import is_camp_admin, is_wiki_user, is_cciw_secretary, is_camp_officer
 from cciw.cciwmain import common
 from cciw.cciwmain.decorators import json_response
 from cciw.cciwmain.models import Camp
     return new_obj
 
 
-SECRETARY_GROUP_NAME = 'Secretaries'
-LEADER_GROUP_NAME = 'Leaders'
-
-def _is_camp_admin(user):
-    """
-    Returns True if the user is an admin for any camp, or has rights
-    for editing camp/officer/reference/CRB information
-    """
-    return (user.groups.filter(name=LEADER_GROUP_NAME) |
-            user.groups.filter(name=SECRETARY_GROUP_NAME)).exists() \
-        or user.camps_as_admin.exists() > 0
-
-
 def user_passes_test_improved(test_func):
     """
     Like user_passes_test, but doesn't redirect user to login screen if they are
     return decorator
 
 
-camp_admin_required = user_passes_test_improved(_is_camp_admin)
+camp_admin_required = user_passes_test_improved(is_camp_admin)
 
 
-def _is_cciw_secretary(user):
-    return user.groups.filter(name=SECRETARY_GROUP_NAME).exists()
-
-
-def _is_camp_officer(user):
-    return user.is_authenticated() and \
-        (user.groups.filter(name='Officers') |
-         user.groups.filter(name='Leaders')).exists()
-
 
 def _camps_as_admin_or_leader(user):
     """
     user = request.user
     c = {}
     c['thisyear'] = common.get_thisyear()
-    if _is_camp_admin(user):
+    if is_camp_admin(user):
         c['show_leader_links'] = True
         c['show_admin_link'] = True
-    if _is_cciw_secretary(user):
+    if is_cciw_secretary(user):
         c['show_secretary_links'] = True
         c['show_admin_link'] = True
 
         raise Http404
 
     if app.officer_id != request.user.id and \
-            not _is_camp_admin(request.user):
+            not is_camp_admin(request.user):
         raise PermissionDenied
 
     # NB, this is is called by both normal users and leaders.
 
 
 officer_files = access_folder_securely("officers",
-                                       lambda request: _is_camp_officer(request.user))
+                                       lambda request: request.user.is_authenticated() and is_camp_officer(request.user))
 
 
 def date_to_js_ts(d):
     (True,       "django.contrib.messages.middleware.MessageMiddleware"),
     (True,       "django.contrib.auth.middleware.AuthenticationMiddleware"),
     (True,       "django.middleware.common.CommonMiddleware"),
+    (True,       "cciw.middleware.auth.PrivateWiki"),
     (True,       "django.middleware.transaction.TransactionMiddleware"),
     (True,       "cciw.middleware.threadlocals.ThreadLocals"),
 )
 #####  DJIKI  ######
 
 DJIKI_IMAGES_PATH = 'wiki/images/'
+DJIKI_ALLOW_ANONYMOUS_EDITS = False
 
 ####################
 
 from django.contrib import admin
 from django.contrib.auth.models import User
 
-import cciw.officers.views
+import cciw.auth
 
 handler404 = 'cciw.cciwmain.views.handler404'
 
     fields=('first_name__istartswith', 'last_name__istartswith'),
     limit=10,
     label=lambda user: "%s %s <%s>" % (user.first_name, user.last_name, user.email),
-    auth=lambda request: request.user.is_authenticated() and cciw.officers.views._is_camp_admin(request.user)
+    auth=lambda request: request.user.is_authenticated() and cciw.auth.is_camp_admin(request.user)
     )
 
 urlpatterns = patterns('',