forked from 0x2620/pandora
no access to private documents
This commit is contained in:
parent
c5d961a946
commit
bf8c99513b
4 changed files with 61 additions and 39 deletions
|
@ -72,7 +72,7 @@
|
||||||
"canSeeDebugMenu": {"researcher": true, "staff": true, "admin": true},
|
"canSeeDebugMenu": {"researcher": true, "staff": true, "admin": true},
|
||||||
"canSeeExtraItemViews": {"researcher": true, "staff": true, "admin": true},
|
"canSeeExtraItemViews": {"researcher": true, "staff": true, "admin": true},
|
||||||
"canSeeMedia": {"researcher": true, "staff": true, "admin": true},
|
"canSeeMedia": {"researcher": true, "staff": true, "admin": true},
|
||||||
"canSeeDocument": {"guest": 3, "member": 3, "researcher": 3, "staff": 3, "admin": 3},
|
"canSeeDocument": {"guest": 1, "member": 1, "researcher": 2, "staff": 3, "admin": 3},
|
||||||
"canSeeItem": {"guest": 3, "member": 3, "researcher": 3, "staff": 3, "admin": 3},
|
"canSeeItem": {"guest": 3, "member": 3, "researcher": 3, "staff": 3, "admin": 3},
|
||||||
"canSeeSize": {"researcher": true, "staff": true, "admin": true},
|
"canSeeSize": {"researcher": true, "staff": true, "admin": true},
|
||||||
"canSeeSoftwareVersion": {"researcher": true, "staff": true, "admin": true},
|
"canSeeSoftwareVersion": {"researcher": true, "staff": true, "admin": true},
|
||||||
|
|
|
@ -309,8 +309,18 @@ class Document(models.Model):
|
||||||
def get_id(self):
|
def get_id(self):
|
||||||
return ox.toAZ(self.id)
|
return ox.toAZ(self.id)
|
||||||
|
|
||||||
def accessible(self, user):
|
def access(self, user):
|
||||||
return self.user == user or self.status in ('public', 'featured')
|
if user.is_anonymous():
|
||||||
|
level = 'guest'
|
||||||
|
else:
|
||||||
|
level = user.profile.get_level()
|
||||||
|
editable = self.editable(user)
|
||||||
|
if editable:
|
||||||
|
return True
|
||||||
|
allowed_level = settings.CONFIG['capabilities']['canSeeDocument'][level]
|
||||||
|
if self.rightslevel <= allowed_level:
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
def editable(self, user, item=None):
|
def editable(self, user, item=None):
|
||||||
if not user or user.is_anonymous():
|
if not user or user.is_anonymous():
|
||||||
|
@ -339,6 +349,8 @@ class Document(models.Model):
|
||||||
'data-value',
|
'data-value',
|
||||||
'lang'
|
'lang'
|
||||||
])
|
])
|
||||||
|
elif key == 'rightslevel':
|
||||||
|
setattr(self, key, int(data[key]))
|
||||||
elif ktype == 'text':
|
elif ktype == 'text':
|
||||||
self.data[key] = ox.sanitize_html(data[key])
|
self.data[key] = ox.sanitize_html(data[key])
|
||||||
elif ktype == '[text]':
|
elif ktype == '[text]':
|
||||||
|
@ -378,6 +390,7 @@ class Document(models.Model):
|
||||||
'matches',
|
'matches',
|
||||||
'ratio',
|
'ratio',
|
||||||
'size',
|
'size',
|
||||||
|
'rightslevel',
|
||||||
):
|
):
|
||||||
return getattr(self, key)
|
return getattr(self, key)
|
||||||
elif key == 'user':
|
elif key == 'user':
|
||||||
|
|
|
@ -27,13 +27,16 @@ from changelog.models import add_changelog
|
||||||
|
|
||||||
from . import models
|
from . import models
|
||||||
|
|
||||||
def get_document_or_404_json(id):
|
def get_document_or_404_json(request, id):
|
||||||
try:
|
|
||||||
return models.Document.get(id)
|
|
||||||
except:
|
|
||||||
response = {'status': {'code': 404,
|
response = {'status': {'code': 404,
|
||||||
'text': 'Document not found'}}
|
'text': 'Document not found'}}
|
||||||
|
try:
|
||||||
|
document = models.Document.get(id)
|
||||||
|
except:
|
||||||
raise HttpErrorJson(response)
|
raise HttpErrorJson(response)
|
||||||
|
if not document.access(request.user):
|
||||||
|
raise HttpErrorJson(response)
|
||||||
|
return document
|
||||||
|
|
||||||
@login_required_json
|
@login_required_json
|
||||||
def addDocument(request, data):
|
def addDocument(request, data):
|
||||||
|
@ -284,7 +287,7 @@ def getDocument(request, data):
|
||||||
'''
|
'''
|
||||||
response = json_response({})
|
response = json_response({})
|
||||||
data['keys'] = data.get('keys', [])
|
data['keys'] = data.get('keys', [])
|
||||||
document = get_document_or_404_json(data['id'])
|
document = get_document_or_404_json(request, data['id'])
|
||||||
response['data'] = document.json(keys=data['keys'], user=request.user)
|
response['data'] = document.json(keys=data['keys'], user=request.user)
|
||||||
return render_to_json_response(response)
|
return render_to_json_response(response)
|
||||||
actions.register(getDocument)
|
actions.register(getDocument)
|
||||||
|
@ -367,12 +370,12 @@ def sortDocuments(request, data):
|
||||||
actions.register(sortDocuments, cache=False)
|
actions.register(sortDocuments, cache=False)
|
||||||
|
|
||||||
def file(request, id, name=None):
|
def file(request, id, name=None):
|
||||||
document = models.Document.get(id)
|
document = get_document_or_404_json(request, id)
|
||||||
return HttpFileResponse(document.file.path)
|
return HttpFileResponse(document.file.path)
|
||||||
|
|
||||||
def thumbnail(request, id, size=256, page=None):
|
def thumbnail(request, id, size=256, page=None):
|
||||||
size = int(size)
|
size = int(size)
|
||||||
document = get_document_or_404_json(id)
|
document = get_document_or_404_json(request, id)
|
||||||
return HttpFileResponse(document.thumbnail(size, page=page))
|
return HttpFileResponse(document.thumbnail(size, page=page))
|
||||||
|
|
||||||
@login_required_json
|
@login_required_json
|
||||||
|
@ -400,7 +403,7 @@ def upload(request):
|
||||||
file.extension = extension
|
file.extension = extension
|
||||||
file.uploading = True
|
file.uploading = True
|
||||||
file.save()
|
file.save()
|
||||||
else:
|
elif file.editable(request.user):
|
||||||
#replace existing file
|
#replace existing file
|
||||||
if file.file:
|
if file.file:
|
||||||
file.delete_cache()
|
file.delete_cache()
|
||||||
|
@ -411,6 +414,8 @@ def upload(request):
|
||||||
file.width = -1
|
file.width = -1
|
||||||
file.pages = -1
|
file.pages = -1
|
||||||
file.save()
|
file.save()
|
||||||
|
else:
|
||||||
|
return render_to_json_response(response)
|
||||||
upload_url = '/api/upload/document?id=%s' % file.get_id()
|
upload_url = '/api/upload/document?id=%s' % file.get_id()
|
||||||
return render_to_json_response({
|
return render_to_json_response({
|
||||||
'uploadUrl': upload_url,
|
'uploadUrl': upload_url,
|
||||||
|
|
|
@ -1964,6 +1964,7 @@ pandora.getSpan = function(state, val, callback) {
|
||||||
// fixme: "subtitles:23" is still missing
|
// fixme: "subtitles:23" is still missing
|
||||||
Ox.Log('URL', 'getSpan', state, val);
|
Ox.Log('URL', 'getSpan', state, val);
|
||||||
if (state.type == 'documents') {
|
if (state.type == 'documents') {
|
||||||
|
if (state.item) {
|
||||||
pandora.api.getDocument({
|
pandora.api.getDocument({
|
||||||
id: state.item,
|
id: state.item,
|
||||||
keys: ['dimensions', 'extension']
|
keys: ['dimensions', 'extension']
|
||||||
|
@ -1994,6 +1995,9 @@ pandora.getSpan = function(state, val, callback) {
|
||||||
Ox.Log('URL', 'getSpan result', state);
|
Ox.Log('URL', 'getSpan result', state);
|
||||||
callback();
|
callback();
|
||||||
});
|
});
|
||||||
|
} else {
|
||||||
|
callback();
|
||||||
|
}
|
||||||
} else if (state.type == pandora.site.itemName.plural.toLowerCase()) {
|
} else if (state.type == pandora.site.itemName.plural.toLowerCase()) {
|
||||||
var isArray = Ox.isArray(val),
|
var isArray = Ox.isArray(val),
|
||||||
isName, isVideoView, canBeAnnotation, canBeEvent, canBePlace;
|
isName, isVideoView, canBeAnnotation, canBeEvent, canBePlace;
|
||||||
|
|
Loading…
Reference in a new issue