Commits

Diego Búrigo Zacarão committed 81e87d8

Adding permissions checking to the projects app view

  • Participants
  • Parent commits a1a6a6a

Comments (0)

Files changed (4)

File projects/models.py

         db_table  = 'projects_component'
         ordering  = ('name',)
         get_latest_by = 'created'
+        permissions = (
+            ("clear_cache", "Can clear cache"),
+            ("refresh_stats", "Can refresh statistics"),
+            ("submit_file", "Can submit file"),
+        )
 
     @cached_property
     def trans(self):

File projects/views.py

 from translations.models import (POFile, POFileLock)
 from translations.models import POFile
 from languages.models import Language
+from transifex.decorators import perm_required_with_403
 
 # Feeds
 
 # Projects
 
 @login_required
+@perm_required_with_403('projects.add_project')
+@perm_required_with_403('projects.change_project')
 def project_create_update(request, project_slug=None):
 
     if project_slug:
 
 
 @login_required
+@perm_required_with_403('projects.delete_project')
 def project_delete(request, project_slug):
     project = get_object_or_404(Project, slug=project_slug)
     if request.method == 'POST':
 # Components
 
 @login_required
+@perm_required_with_403('projects.add_component')
+@perm_required_with_403('projects.change_component')
 def component_create_update(request, project_slug, component_slug=None):
     """
     Create & update components. Handles associated units
 
 
 @login_required
+@perm_required_with_403('projects.delete_component')
 def component_delete(request, project_slug, component_slug):
     component = get_object_or_404(Component, slug=component_slug,
                                   project__slug=project_slug)
                                   {'component': component,},
                                   context_instance=RequestContext(request))
 
-
+@login_required
+@perm_required_with_403('projects.refresh_stats')
 def component_set_stats(request, project_slug, component_slug):
     component = get_object_or_404(Component, slug=component_slug,
                                   project__slug=project_slug)
 
 
 @login_required
+@perm_required_with_403('projects.clear_cache')
 def component_clear_cache(request, project_slug, component_slug):
     component = get_object_or_404(Component, slug=component_slug,
                                   project__slug=project_slug)
     return response
 
 @login_required
+@perm_required_with_403('projects.submit_file')
 def component_submit_file(request, project_slug, component_slug, 
                           filename=None):
 
 
 
 @login_required
+@perm_required_with_403('translations.add_pofilelock')
+@perm_required_with_403('translations.delete_pofilelock')
 def component_toggle_lock_file(request, project_slug, component_slug,
                                filename):
     component = get_object_or_404(Component, slug=component_slug,

File templates/403.html

+{% extends "base.html" %}
+{% load i18n %}
+
+{% block title %}{{ block.super }} | {% trans "Forbidden access" %}{% endblock %}
+
+{% block content_title %}
+  <h2 class="pagetitle">{% trans "Forbidden access" %}</h2>
+{% endblock %}
+
+{% block body %}
+
+<p>{% trans "Looks like you do not have the necessary permissions to the required action." %}</p>
+
+{% url home as home %}
+<p>{% blocktrans %}Here's a link to the <a href="{{ home }}">homepage</a>. You know, just in case.{% endblocktrans %}</p>
+
+{% endblock %}

File transifex/decorators.py

+# -*- coding: utf-8 -*-
+from django.shortcuts import render_to_response
+from django.template import RequestContext
+
+def user_passes_test_with_403(test_func, login_url=None):
+    """
+    Decorator for views that checks that the user passes the given test.
+    
+    Users that fail the test will be given a 403 error.
+    """
+    def _dec(view_func):
+        def _checklogin(request, *args, **kwargs):
+            if test_func(request.user):
+                return view_func(request, *args, **kwargs)
+            else:
+                resp = render_to_response('403.html', context_instance=RequestContext(request))
+                resp.status_code = 403
+                return resp
+        _checklogin.__doc__ = view_func.__doc__
+        _checklogin.__dict__ = view_func.__dict__
+        return _checklogin
+    return _dec
+
+def perm_required_with_403(perm):
+    """
+    Decorator for views that checks whether a user has a particular permissions
+    enabled, rendering a 403 page as necessary.
+
+    """
+    return user_passes_test_with_403(lambda u: u.has_perm(perm))