Annikka/evennia
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Adds permissions checks for views involving objects.

Browse source
This commit is contained in:
Johnny 2018-10-23 23:43:40 +00:00
parent 4b3e9bc87e
commit 48b62a258a
1 changed files with 26 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

34
evennia/web/website/views.py
View file

@ -13,7 +13,7 @@ from django.contrib.auth.mixins import LoginRequiredMixin
from django.contrib.admin.views.decorators import staff_member_required from django.contrib.admin.views.decorators import staff_member_required
from django.core.exceptions import PermissionDenied from django.core.exceptions import PermissionDenied
from django.db.models.functions import Lower from django.db.models.functions import Lower
from django.http import HttpResponseRedirect, Http404 from django.http import HttpResponseBadRequest, HttpResponseRedirect, Http404
from django.shortcuts import render from django.shortcuts import render
from django.urls import reverse_lazy from django.urls import reverse_lazy
from django.views.generic import View, TemplateView, ListView, DetailView, FormView from django.views.generic import View, TemplateView, ListView, DetailView, FormView
@ -173,7 +173,8 @@ class EvenniaDeleteView(DeleteView):
class ObjectDetailView(DetailView): class ObjectDetailView(DetailView):
model = ObjectDB model = class_from_module(settings.BASE_OBJECT_TYPECLASS)
access_type = 'view'
def get_object(self, queryset=None): def get_object(self, queryset=None):
""" """
@ -183,19 +184,35 @@ class ObjectDetailView(DetailView):
calculate the same for the object and make sure it matches. calculate the same for the object and make sure it matches.
""" """
obj = super(ObjectDetailView, self).get_object(queryset) if not queryset:
queryset = self.get_queryset()
# Get the object, ignoring all checks and filters
obj = self.model.objects.get(pk=self.kwargs.get('pk'))
# Check if this object was requested in a valid manner
if slugify(obj.name) != self.kwargs.get(self.slug_url_kwarg): if slugify(obj.name) != self.kwargs.get(self.slug_url_kwarg):
raise Http404(u"No %(verbose_name)s found matching the query" % raise HttpResponseBadRequest(u"No %(verbose_name)s found matching the query" %
{'verbose_name': queryset.model._meta.verbose_name}) {'verbose_name': queryset.model._meta.verbose_name})
# Check if account has permissions to access object
account = self.request.user
if not obj.access(account, self.access_type):
raise PermissionDenied(u"You are not authorized to %s this object." % self.access_type)
# Get the object, based on the specified queryset
obj = super(ObjectDetailView, self).get_object(queryset)
return obj return obj
class ObjectCreateView(LoginRequiredMixin, EvenniaCreateView): class ObjectCreateView(LoginRequiredMixin, EvenniaCreateView):
model = ObjectDB model = class_from_module(settings.BASE_OBJECT_TYPECLASS)
class ObjectDeleteView(LoginRequiredMixin, ObjectDetailView, EvenniaDeleteView): class ObjectDeleteView(LoginRequiredMixin, ObjectDetailView, EvenniaDeleteView):
model = ObjectDB model = class_from_module(settings.BASE_OBJECT_TYPECLASS)
access_type = 'delete'
template_name = 'website/object_confirm_delete.html' template_name = 'website/object_confirm_delete.html'
def delete(self, request, *args, **kwargs): def delete(self, request, *args, **kwargs):
@ -212,7 +229,8 @@ class ObjectDeleteView(LoginRequiredMixin, ObjectDetailView, EvenniaDeleteView):
class ObjectUpdateView(LoginRequiredMixin, ObjectDetailView, EvenniaUpdateView): class ObjectUpdateView(LoginRequiredMixin, ObjectDetailView, EvenniaUpdateView):
model = ObjectDB model = class_from_module(settings.BASE_OBJECT_TYPECLASS)
access_type = 'edit'
def get_initial(self): def get_initial(self):
""" """