From bf8c99513bbcfab148fd4419731da13acc043080 Mon Sep 17 00:00:00 2001 From: j Date: Wed, 25 Jan 2017 00:07:04 +0100 Subject: [PATCH] no access to private documents --- pandora/config.indiancinema.jsonc | 2 +- pandora/document/models.py | 17 +++++++-- pandora/document/views.py | 21 ++++++----- static/js/utils.js | 60 ++++++++++++++++--------------- 4 files changed, 61 insertions(+), 39 deletions(-) diff --git a/pandora/config.indiancinema.jsonc b/pandora/config.indiancinema.jsonc index 085fd3fd..c03a3ff7 100644 --- a/pandora/config.indiancinema.jsonc +++ b/pandora/config.indiancinema.jsonc @@ -72,7 +72,7 @@ "canSeeDebugMenu": {"researcher": true, "staff": true, "admin": true}, "canSeeExtraItemViews": {"researcher": true, "staff": true, "admin": true}, "canSeeMedia": {"researcher": true, "staff": true, "admin": true}, - "canSeeDocument": {"guest": 3, "member": 3, "researcher": 3, "staff": 3, "admin": 3}, + "canSeeDocument": {"guest": 1, "member": 1, "researcher": 2, "staff": 3, "admin": 3}, "canSeeItem": {"guest": 3, "member": 3, "researcher": 3, "staff": 3, "admin": 3}, "canSeeSize": {"researcher": true, "staff": true, "admin": true}, "canSeeSoftwareVersion": {"researcher": true, "staff": true, "admin": true}, diff --git a/pandora/document/models.py b/pandora/document/models.py index e9db0b36..3326886e 100644 --- a/pandora/document/models.py +++ b/pandora/document/models.py @@ -309,8 +309,18 @@ class Document(models.Model): def get_id(self): return ox.toAZ(self.id) - def accessible(self, user): - return self.user == user or self.status in ('public', 'featured') + def access(self, user): + if user.is_anonymous(): + level = 'guest' + else: + level = user.profile.get_level() + editable = self.editable(user) + if editable: + return True + allowed_level = settings.CONFIG['capabilities']['canSeeDocument'][level] + if self.rightslevel <= allowed_level: + return True + return False def editable(self, user, item=None): if not user or user.is_anonymous(): @@ -339,6 +349,8 @@ class Document(models.Model): 'data-value', 'lang' ]) + elif key == 'rightslevel': + setattr(self, key, int(data[key])) elif ktype == 'text': self.data[key] = ox.sanitize_html(data[key]) elif ktype == '[text]': @@ -378,6 +390,7 @@ class Document(models.Model): 'matches', 'ratio', 'size', + 'rightslevel', ): return getattr(self, key) elif key == 'user': diff --git a/pandora/document/views.py b/pandora/document/views.py index f96987fa..d8d356da 100644 --- a/pandora/document/views.py +++ b/pandora/document/views.py @@ -27,13 +27,16 @@ from changelog.models import add_changelog from . import models -def get_document_or_404_json(id): +def get_document_or_404_json(request, id): + response = {'status': {'code': 404, + 'text': 'Document not found'}} try: - return models.Document.get(id) + document = models.Document.get(id) except: - response = {'status': {'code': 404, - 'text': 'Document not found'}} raise HttpErrorJson(response) + if not document.access(request.user): + raise HttpErrorJson(response) + return document @login_required_json def addDocument(request, data): @@ -284,7 +287,7 @@ def getDocument(request, data): ''' response = json_response({}) data['keys'] = data.get('keys', []) - document = get_document_or_404_json(data['id']) + document = get_document_or_404_json(request, data['id']) response['data'] = document.json(keys=data['keys'], user=request.user) return render_to_json_response(response) actions.register(getDocument) @@ -367,12 +370,12 @@ def sortDocuments(request, data): actions.register(sortDocuments, cache=False) def file(request, id, name=None): - document = models.Document.get(id) + document = get_document_or_404_json(request, id) return HttpFileResponse(document.file.path) def thumbnail(request, id, size=256, page=None): size = int(size) - document = get_document_or_404_json(id) + document = get_document_or_404_json(request, id) return HttpFileResponse(document.thumbnail(size, page=page)) @login_required_json @@ -400,7 +403,7 @@ def upload(request): file.extension = extension file.uploading = True file.save() - else: + elif file.editable(request.user): #replace existing file if file.file: file.delete_cache() @@ -411,6 +414,8 @@ def upload(request): file.width = -1 file.pages = -1 file.save() + else: + return render_to_json_response(response) upload_url = '/api/upload/document?id=%s' % file.get_id() return render_to_json_response({ 'uploadUrl': upload_url, diff --git a/static/js/utils.js b/static/js/utils.js index 98722721..864dea50 100644 --- a/static/js/utils.js +++ b/static/js/utils.js @@ -1964,36 +1964,40 @@ pandora.getSpan = function(state, val, callback) { // fixme: "subtitles:23" is still missing Ox.Log('URL', 'getSpan', state, val); if (state.type == 'documents') { - pandora.api.getDocument({ - id: state.item, - keys: ['dimensions', 'extension'] - }, function(result) { - var dimensions = result.data.dimensions, - extension = result.data.extension, - values; - if (Ox.contains(['epub', 'pdf', 'txt'], extension)) { - state.span = Ox.limit(parseInt(val), 1, dimensions); - } else if (Ox.contains(['html'], extension)) { - state.span = Ox.limit(parseInt(val), 0, 100); - } else if (Ox.contains(['gif', 'jpg', 'png'], extension)) { - values = val.split(','); - if (values.length == 4) { - state.span = values.map(function(number, index) { - return Ox.limit(number, 0, dimensions[index % 2]); - }); - state.span = [ - Math.min(state.span[0], state.span[2]), - Math.min(state.span[1], state.span[3]), - Math.max(state.span[0], state.span[2]), - Math.max(state.span[1], state.span[3]), - ]; - } else { - state.span = ''; + if (state.item) { + pandora.api.getDocument({ + id: state.item, + keys: ['dimensions', 'extension'] + }, function(result) { + var dimensions = result.data.dimensions, + extension = result.data.extension, + values; + if (Ox.contains(['epub', 'pdf', 'txt'], extension)) { + state.span = Ox.limit(parseInt(val), 1, dimensions); + } else if (Ox.contains(['html'], extension)) { + state.span = Ox.limit(parseInt(val), 0, 100); + } else if (Ox.contains(['gif', 'jpg', 'png'], extension)) { + values = val.split(','); + if (values.length == 4) { + state.span = values.map(function(number, index) { + return Ox.limit(number, 0, dimensions[index % 2]); + }); + state.span = [ + Math.min(state.span[0], state.span[2]), + Math.min(state.span[1], state.span[3]), + Math.max(state.span[0], state.span[2]), + Math.max(state.span[1], state.span[3]), + ]; + } else { + state.span = ''; + } } - } - Ox.Log('URL', 'getSpan result', state); + Ox.Log('URL', 'getSpan result', state); + callback(); + }); + } else { callback(); - }); + } } else if (state.type == pandora.site.itemName.plural.toLowerCase()) { var isArray = Ox.isArray(val), isName, isVideoView, canBeAnnotation, canBeEvent, canBePlace;