From 1ef73b5a766c4d24bb81afd6fe6c11d4a561c5f0 Mon Sep 17 00:00:00 2001 From: Robert Sparks Date: Thu, 13 Mar 2014 20:45:06 +0000 Subject: [PATCH] Reworked the worst of the conflicting permissions policies - Legacy-Id: 7458 --- ietf/meeting/ajax.py | 46 ++++++++++++++----------------------- ietf/meeting/tests_api.py | 13 ++++------- ietf/meeting/views.py | 17 +++++++++----- ietf/secr/meetings/views.py | 3 ++- 4 files changed, 35 insertions(+), 44 deletions(-) diff --git a/ietf/meeting/ajax.py b/ietf/meeting/ajax.py index 7177c40ce..28e2ae2e2 100644 --- a/ietf/meeting/ajax.py +++ b/ietf/meeting/ajax.py @@ -4,6 +4,7 @@ import datetime from django.core.urlresolvers import reverse from django.shortcuts import get_object_or_404, redirect from django.http import HttpResponseRedirect, HttpResponse +from django.views.decorators.http import require_POST from dajaxice.decorators import dajaxice_register from ietf.ietfauth.utils import role_required, has_role, user_is_person @@ -316,47 +317,34 @@ def agenda_add(request, meeting): else: return redirect(edit_agenda, meeting.number, newagenda.name) -@role_required('Area Director','Secretariat') +@require_POST def agenda_update(request, meeting, schedule): # forms are completely useless for update actions that want to # accept a subset of values. (huh? we could use required=False) - #debug.log("99 meeting.agenda: %s / %s / %s" % - # (schedule, update_dict, request.body)) - user = request.user + if not user.is_authenticated(): + return HttpResponse({'error':'no permission'}, status=403) + cansee,canedit = agenda_permissions(meeting, schedule, request.user) read_only = not canedit - if has_role(user, "Secretariat"): - if "public" in request.POST: - value1 = True - value = request.POST["public"] - if value == "0" or value == 0 or value=="false": - value1 = False - #debug.log("setting public for %s to %s" % (schedule, value1)) - schedule.public = value1 + def is_truthy_enough(value): + return not (value == "0" or value == 0 or value=="false") - if "visible" in request.POST and cansee: - value1 = True - value = request.POST["visible"] - if value == "0" or value == 0 or value=="false": - value1 = False - #debug.log("setting visible for %s to %s" % (schedule, value1)) - schedule.visible = value1 - if has_role(user, "Secretariat") and canedit: - if "name" in request.POST: - value = request.POST["name"] - #log.debug("setting name for %s to %s" % (schedule, value)) - schedule.name = value - else: - return HttpResponse({'error':'no permission'}, status=401) + # TODO: Secretariat should always get canedit + if not (canedit or has_role(user, "Secretariat")): + return HttpResponse({'error':'no permission'}, status=403) + + if "public" in request.POST: + schedule.public = is_truthy_enough(request.POST["public"]) + + if "visible" in request.POST: + schedule.visible = is_truthy_enough(request.POST["visible"]) if "name" in request.POST: - value = request.POST["name"] - #debug.log("setting name for %s to %s" % (schedule, value)) - schedule.name = value + schedule.name = request.POST["name"] schedule.save() diff --git a/ietf/meeting/tests_api.py b/ietf/meeting/tests_api.py index 01e0bcc83..0f8db0bc5 100644 --- a/ietf/meeting/tests_api.py +++ b/ietf/meeting/tests_api.py @@ -294,16 +294,13 @@ class ApiTests(TestCase): 'name': 'new-test-name', } - # unauthorized post - self.client.login(remote_user="plain") + # unauthorized posts + self.client.logout() + r = self.client.post(url, post_data) + self.assertEqual(r.status_code, 403) + self.client.login(remote_user="ad") r = self.client.post(url, post_data) self.assertEqual(r.status_code, 403) - - # TODO - permission protection on this function are not right - # Normal users are prevented from changing public/private on their own schedule - # The secretariat can't change normal user's agendas settings for them, and the - # page at /meeting//schedule//details behaves badly for the secretariat - # (pushing save seems to do nothing as the POST 401s in the background) # change agenda self.client.login(remote_user="secretary") diff --git a/ietf/meeting/views.py b/ietf/meeting/views.py index 44a0a0d30..29bcfbcfa 100644 --- a/ietf/meeting/views.py +++ b/ietf/meeting/views.py @@ -12,7 +12,7 @@ from tempfile import mkstemp from django import forms from django.shortcuts import render_to_response, get_object_or_404, redirect -from django.http import HttpResponse, Http404 +from django.http import HttpResponse, HttpResponseForbidden, Http404 from django.core.urlresolvers import reverse from django.db.models import Q from django.template import RequestContext @@ -322,11 +322,16 @@ def edit_agenda_properties(request, num=None, name=None): schedule = get_schedule(meeting, name) form = AgendaPropertiesForm(instance=schedule) - return HttpResponse(render_to_string("meeting/properties_edit.html", - {"schedule":schedule, - "form":form, - "meeting":meeting}, - RequestContext(request)), content_type="text/html") + cansee, canedit = agenda_permissions(meeting, schedule, request.user) + + if not (canedit or has_role(request.user,'Secretariat')): + return HttpResponseForbidden("You may not edit this agenda") + else: + return HttpResponse(render_to_string("meeting/properties_edit.html", + {"schedule":schedule, + "form":form, + "meeting":meeting}, + RequestContext(request)), content_type="text/html") ############################################################################## # show list of agendas. diff --git a/ietf/secr/meetings/views.py b/ietf/secr/meetings/views.py index 209965de9..77ebde8f2 100644 --- a/ietf/secr/meetings/views.py +++ b/ietf/secr/meetings/views.py @@ -278,7 +278,8 @@ def add(request): owner = Person.objects.get(name='(System)'), visible = True, public = True) - meeting.set_official_agenda(schedule) + meeting.agenda = schedule + meeting.save() #Create Physical new meeting directory and subdirectories make_directories(meeting)