no access to private documents

This commit is contained in:
j 2017-01-25 00:07:04 +01:00
parent c5d961a946
commit bf8c99513b
4 changed files with 61 additions and 39 deletions

View file

@ -72,7 +72,7 @@
"canSeeDebugMenu": {"researcher": true, "staff": true, "admin": true},
"canSeeExtraItemViews": {"researcher": true, "staff": true, "admin": true},
"canSeeMedia": {"researcher": true, "staff": true, "admin": true},
"canSeeDocument": {"guest": 3, "member": 3, "researcher": 3, "staff": 3, "admin": 3},
"canSeeDocument": {"guest": 1, "member": 1, "researcher": 2, "staff": 3, "admin": 3},
"canSeeItem": {"guest": 3, "member": 3, "researcher": 3, "staff": 3, "admin": 3},
"canSeeSize": {"researcher": true, "staff": true, "admin": true},
"canSeeSoftwareVersion": {"researcher": true, "staff": true, "admin": true},

View file

@ -309,8 +309,18 @@ class Document(models.Model):
def get_id(self):
return ox.toAZ(self.id)
def accessible(self, user):
return self.user == user or self.status in ('public', 'featured')
def access(self, user):
if user.is_anonymous():
level = 'guest'
else:
level = user.profile.get_level()
editable = self.editable(user)
if editable:
return True
allowed_level = settings.CONFIG['capabilities']['canSeeDocument'][level]
if self.rightslevel <= allowed_level:
return True
return False
def editable(self, user, item=None):
if not user or user.is_anonymous():
@ -339,6 +349,8 @@ class Document(models.Model):
'data-value',
'lang'
])
elif key == 'rightslevel':
setattr(self, key, int(data[key]))
elif ktype == 'text':
self.data[key] = ox.sanitize_html(data[key])
elif ktype == '[text]':
@ -378,6 +390,7 @@ class Document(models.Model):
'matches',
'ratio',
'size',
'rightslevel',
):
return getattr(self, key)
elif key == 'user':

View file

@ -27,13 +27,16 @@ from changelog.models import add_changelog
from . import models
def get_document_or_404_json(id):
def get_document_or_404_json(request, id):
response = {'status': {'code': 404,
'text': 'Document not found'}}
try:
return models.Document.get(id)
document = models.Document.get(id)
except:
response = {'status': {'code': 404,
'text': 'Document not found'}}
raise HttpErrorJson(response)
if not document.access(request.user):
raise HttpErrorJson(response)
return document
@login_required_json
def addDocument(request, data):
@ -284,7 +287,7 @@ def getDocument(request, data):
'''
response = json_response({})
data['keys'] = data.get('keys', [])
document = get_document_or_404_json(data['id'])
document = get_document_or_404_json(request, data['id'])
response['data'] = document.json(keys=data['keys'], user=request.user)
return render_to_json_response(response)
actions.register(getDocument)
@ -367,12 +370,12 @@ def sortDocuments(request, data):
actions.register(sortDocuments, cache=False)
def file(request, id, name=None):
document = models.Document.get(id)
document = get_document_or_404_json(request, id)
return HttpFileResponse(document.file.path)
def thumbnail(request, id, size=256, page=None):
size = int(size)
document = get_document_or_404_json(id)
document = get_document_or_404_json(request, id)
return HttpFileResponse(document.thumbnail(size, page=page))
@login_required_json
@ -400,7 +403,7 @@ def upload(request):
file.extension = extension
file.uploading = True
file.save()
else:
elif file.editable(request.user):
#replace existing file
if file.file:
file.delete_cache()
@ -411,6 +414,8 @@ def upload(request):
file.width = -1
file.pages = -1
file.save()
else:
return render_to_json_response(response)
upload_url = '/api/upload/document?id=%s' % file.get_id()
return render_to_json_response({
'uploadUrl': upload_url,

View file

@ -1964,36 +1964,40 @@ pandora.getSpan = function(state, val, callback) {
// fixme: "subtitles:23" is still missing
Ox.Log('URL', 'getSpan', state, val);
if (state.type == 'documents') {
pandora.api.getDocument({
id: state.item,
keys: ['dimensions', 'extension']
}, function(result) {
var dimensions = result.data.dimensions,
extension = result.data.extension,
values;
if (Ox.contains(['epub', 'pdf', 'txt'], extension)) {
state.span = Ox.limit(parseInt(val), 1, dimensions);
} else if (Ox.contains(['html'], extension)) {
state.span = Ox.limit(parseInt(val), 0, 100);
} else if (Ox.contains(['gif', 'jpg', 'png'], extension)) {
values = val.split(',');
if (values.length == 4) {
state.span = values.map(function(number, index) {
return Ox.limit(number, 0, dimensions[index % 2]);
});
state.span = [
Math.min(state.span[0], state.span[2]),
Math.min(state.span[1], state.span[3]),
Math.max(state.span[0], state.span[2]),
Math.max(state.span[1], state.span[3]),
];
} else {
state.span = '';
if (state.item) {
pandora.api.getDocument({
id: state.item,
keys: ['dimensions', 'extension']
}, function(result) {
var dimensions = result.data.dimensions,
extension = result.data.extension,
values;
if (Ox.contains(['epub', 'pdf', 'txt'], extension)) {
state.span = Ox.limit(parseInt(val), 1, dimensions);
} else if (Ox.contains(['html'], extension)) {
state.span = Ox.limit(parseInt(val), 0, 100);
} else if (Ox.contains(['gif', 'jpg', 'png'], extension)) {
values = val.split(',');
if (values.length == 4) {
state.span = values.map(function(number, index) {
return Ox.limit(number, 0, dimensions[index % 2]);
});
state.span = [
Math.min(state.span[0], state.span[2]),
Math.min(state.span[1], state.span[3]),
Math.max(state.span[0], state.span[2]),
Math.max(state.span[1], state.span[3]),
];
} else {
state.span = '';
}
}
}
Ox.Log('URL', 'getSpan result', state);
Ox.Log('URL', 'getSpan result', state);
callback();
});
} else {
callback();
});
}
} else if (state.type == pandora.site.itemName.plural.toLowerCase()) {
var isArray = Ox.isArray(val),
isName, isVideoView, canBeAnnotation, canBeEvent, canBePlace;