check canManageUsers capability to provide access to manage users api, fixes #1564

This commit is contained in:
j 2013-06-02 10:40:41 +00:00
parent 4d426ba508
commit 5afb84bc0a
2 changed files with 22 additions and 5 deletions

View file

@ -0,0 +1,17 @@
# -*- coding: utf-8 -*-
# vi:si:et:sw=4:sts=4:ts=4
try:
from django.contrib.auth.decorators import wraps
except:
from django.utils.functional import wraps
from ox.django.shortcuts import render_to_json_response, json_response
def capability_required_json(capability):
def capability_required(function=None):
def _wrapped_view(request, *args, **kwargs):
if request.user.is_authenticated() and \
request.user.get_profile().capability(capability):
return function(request, *args, **kwargs)
return render_to_json_response(json_response(status=403, text='permissino denied'))
return wraps(function)(_wrapped_view)
return capability_required

View file

@ -13,7 +13,7 @@ from django.db.models import Max
from django.contrib.auth.models import User, Group from django.contrib.auth.models import User, Group
from ox.django.shortcuts import render_to_json_response, json_response, get_object_or_404_json from ox.django.shortcuts import render_to_json_response, json_response, get_object_or_404_json
from ox.django.decorators import admin_required_json, login_required_json from ox.django.decorators import login_required_json
import ox import ox
@ -22,7 +22,7 @@ from item.models import Access, Item
from item import utils from item import utils
import models import models
from decorators import capability_required_json
def signin(request): def signin(request):
''' '''
@ -303,7 +303,7 @@ def requestToken(request):
actions.register(requestToken, cache=False) actions.register(requestToken, cache=False)
@admin_required_json @capability_required_json('canManageUsers')
def editUser(request): def editUser(request):
''' '''
takes { takes {
@ -356,7 +356,7 @@ def editUser(request):
return render_to_json_response(response) return render_to_json_response(response)
actions.register(editUser, cache=False) actions.register(editUser, cache=False)
@admin_required_json @capability_required_json('canManageUsers')
def removeUser(request): def removeUser(request):
''' '''
takes { takes {
@ -440,7 +440,7 @@ def order_query(qs, sort):
qs = qs.order_by(*order_by, nulls_last=True) qs = qs.order_by(*order_by, nulls_last=True)
return qs return qs
@admin_required_json @capability_required_json('canManageUsers')
def findUsers(request): def findUsers(request):
''' '''
takes { takes {