no access to private documents

This commit is contained in:
j 2017-01-25 00:07:04 +01:00
parent c5d961a946
commit bf8c99513b
4 changed files with 61 additions and 39 deletions

View file

@ -72,7 +72,7 @@
"canSeeDebugMenu": {"researcher": true, "staff": true, "admin": true}, "canSeeDebugMenu": {"researcher": true, "staff": true, "admin": true},
"canSeeExtraItemViews": {"researcher": true, "staff": true, "admin": true}, "canSeeExtraItemViews": {"researcher": true, "staff": true, "admin": true},
"canSeeMedia": {"researcher": true, "staff": true, "admin": true}, "canSeeMedia": {"researcher": true, "staff": true, "admin": true},
"canSeeDocument": {"guest": 3, "member": 3, "researcher": 3, "staff": 3, "admin": 3}, "canSeeDocument": {"guest": 1, "member": 1, "researcher": 2, "staff": 3, "admin": 3},
"canSeeItem": {"guest": 3, "member": 3, "researcher": 3, "staff": 3, "admin": 3}, "canSeeItem": {"guest": 3, "member": 3, "researcher": 3, "staff": 3, "admin": 3},
"canSeeSize": {"researcher": true, "staff": true, "admin": true}, "canSeeSize": {"researcher": true, "staff": true, "admin": true},
"canSeeSoftwareVersion": {"researcher": true, "staff": true, "admin": true}, "canSeeSoftwareVersion": {"researcher": true, "staff": true, "admin": true},

View file

@ -309,8 +309,18 @@ class Document(models.Model):
def get_id(self): def get_id(self):
return ox.toAZ(self.id) return ox.toAZ(self.id)
def accessible(self, user): def access(self, user):
return self.user == user or self.status in ('public', 'featured') if user.is_anonymous():
level = 'guest'
else:
level = user.profile.get_level()
editable = self.editable(user)
if editable:
return True
allowed_level = settings.CONFIG['capabilities']['canSeeDocument'][level]
if self.rightslevel <= allowed_level:
return True
return False
def editable(self, user, item=None): def editable(self, user, item=None):
if not user or user.is_anonymous(): if not user or user.is_anonymous():
@ -339,6 +349,8 @@ class Document(models.Model):
'data-value', 'data-value',
'lang' 'lang'
]) ])
elif key == 'rightslevel':
setattr(self, key, int(data[key]))
elif ktype == 'text': elif ktype == 'text':
self.data[key] = ox.sanitize_html(data[key]) self.data[key] = ox.sanitize_html(data[key])
elif ktype == '[text]': elif ktype == '[text]':
@ -378,6 +390,7 @@ class Document(models.Model):
'matches', 'matches',
'ratio', 'ratio',
'size', 'size',
'rightslevel',
): ):
return getattr(self, key) return getattr(self, key)
elif key == 'user': elif key == 'user':

View file

@ -27,13 +27,16 @@ from changelog.models import add_changelog
from . import models from . import models
def get_document_or_404_json(id): def get_document_or_404_json(request, id):
response = {'status': {'code': 404,
'text': 'Document not found'}}
try: try:
return models.Document.get(id) document = models.Document.get(id)
except: except:
response = {'status': {'code': 404,
'text': 'Document not found'}}
raise HttpErrorJson(response) raise HttpErrorJson(response)
if not document.access(request.user):
raise HttpErrorJson(response)
return document
@login_required_json @login_required_json
def addDocument(request, data): def addDocument(request, data):
@ -284,7 +287,7 @@ def getDocument(request, data):
''' '''
response = json_response({}) response = json_response({})
data['keys'] = data.get('keys', []) data['keys'] = data.get('keys', [])
document = get_document_or_404_json(data['id']) document = get_document_or_404_json(request, data['id'])
response['data'] = document.json(keys=data['keys'], user=request.user) response['data'] = document.json(keys=data['keys'], user=request.user)
return render_to_json_response(response) return render_to_json_response(response)
actions.register(getDocument) actions.register(getDocument)
@ -367,12 +370,12 @@ def sortDocuments(request, data):
actions.register(sortDocuments, cache=False) actions.register(sortDocuments, cache=False)
def file(request, id, name=None): def file(request, id, name=None):
document = models.Document.get(id) document = get_document_or_404_json(request, id)
return HttpFileResponse(document.file.path) return HttpFileResponse(document.file.path)
def thumbnail(request, id, size=256, page=None): def thumbnail(request, id, size=256, page=None):
size = int(size) size = int(size)
document = get_document_or_404_json(id) document = get_document_or_404_json(request, id)
return HttpFileResponse(document.thumbnail(size, page=page)) return HttpFileResponse(document.thumbnail(size, page=page))
@login_required_json @login_required_json
@ -400,7 +403,7 @@ def upload(request):
file.extension = extension file.extension = extension
file.uploading = True file.uploading = True
file.save() file.save()
else: elif file.editable(request.user):
#replace existing file #replace existing file
if file.file: if file.file:
file.delete_cache() file.delete_cache()
@ -411,6 +414,8 @@ def upload(request):
file.width = -1 file.width = -1
file.pages = -1 file.pages = -1
file.save() file.save()
else:
return render_to_json_response(response)
upload_url = '/api/upload/document?id=%s' % file.get_id() upload_url = '/api/upload/document?id=%s' % file.get_id()
return render_to_json_response({ return render_to_json_response({
'uploadUrl': upload_url, 'uploadUrl': upload_url,

View file

@ -1964,36 +1964,40 @@ pandora.getSpan = function(state, val, callback) {
// fixme: "subtitles:23" is still missing // fixme: "subtitles:23" is still missing
Ox.Log('URL', 'getSpan', state, val); Ox.Log('URL', 'getSpan', state, val);
if (state.type == 'documents') { if (state.type == 'documents') {
pandora.api.getDocument({ if (state.item) {
id: state.item, pandora.api.getDocument({
keys: ['dimensions', 'extension'] id: state.item,
}, function(result) { keys: ['dimensions', 'extension']
var dimensions = result.data.dimensions, }, function(result) {
extension = result.data.extension, var dimensions = result.data.dimensions,
values; extension = result.data.extension,
if (Ox.contains(['epub', 'pdf', 'txt'], extension)) { values;
state.span = Ox.limit(parseInt(val), 1, dimensions); if (Ox.contains(['epub', 'pdf', 'txt'], extension)) {
} else if (Ox.contains(['html'], extension)) { state.span = Ox.limit(parseInt(val), 1, dimensions);
state.span = Ox.limit(parseInt(val), 0, 100); } else if (Ox.contains(['html'], extension)) {
} else if (Ox.contains(['gif', 'jpg', 'png'], extension)) { state.span = Ox.limit(parseInt(val), 0, 100);
values = val.split(','); } else if (Ox.contains(['gif', 'jpg', 'png'], extension)) {
if (values.length == 4) { values = val.split(',');
state.span = values.map(function(number, index) { if (values.length == 4) {
return Ox.limit(number, 0, dimensions[index % 2]); state.span = values.map(function(number, index) {
}); return Ox.limit(number, 0, dimensions[index % 2]);
state.span = [ });
Math.min(state.span[0], state.span[2]), state.span = [
Math.min(state.span[1], state.span[3]), Math.min(state.span[0], state.span[2]),
Math.max(state.span[0], state.span[2]), Math.min(state.span[1], state.span[3]),
Math.max(state.span[1], state.span[3]), Math.max(state.span[0], state.span[2]),
]; Math.max(state.span[1], state.span[3]),
} else { ];
state.span = ''; } else {
state.span = '';
}
} }
} Ox.Log('URL', 'getSpan result', state);
Ox.Log('URL', 'getSpan result', state); callback();
});
} else {
callback(); callback();
}); }
} else if (state.type == pandora.site.itemName.plural.toLowerCase()) { } else if (state.type == pandora.site.itemName.plural.toLowerCase()) {
var isArray = Ox.isArray(val), var isArray = Ox.isArray(val),
isName, isVideoView, canBeAnnotation, canBeEvent, canBePlace; isName, isVideoView, canBeAnnotation, canBeEvent, canBePlace;