From c63036ff2f56cbdd3cf7734dbbbb35c032e01bf5 Mon Sep 17 00:00:00 2001 From: Francesco Filicetti Date: Tue, 31 Dec 2024 09:24:27 +0100 Subject: [PATCH] fix: access level control on handlers --- src/cms/contexts/handlers.py | 31 +++++++++++++++++++++++++++++-- src/cms/contexts/utils.py | 6 +++--- src/cms/contexts/views.py | 1 + src/cms/publications/handlers.py | 6 ++++++ 4 files changed, 39 insertions(+), 5 deletions(-) diff --git a/src/cms/contexts/handlers.py b/src/cms/contexts/handlers.py index f552fa79..dc42dec2 100644 --- a/src/cms/contexts/handlers.py +++ b/src/cms/contexts/handlers.py @@ -1,5 +1,20 @@ +import re -from . models import WebPath +from django.conf import settings +from django.core.exceptions import PermissionDenied +from django.shortcuts import get_object_or_404, redirect + +from . models import WebPath, WebSite + + +def _get_site_from_host(request): + requested_site = re.match(r'^[a-zA-Z0-9\.\-\_]*', + request.get_host()).group() + + website = get_object_or_404(WebSite, + domain=requested_site, + is_active=True) + return website class BaseContentHandler(object): @@ -59,4 +74,16 @@ def as_view(self): # pragma: no cover open returns a rendered page """ - raise NotImplementedError() + # access level + website = _get_site_from_host(self.request) + access_level = self.webpath.get_access_level() + if access_level == '0': + pass + elif not self.request.user.is_authenticated: + return redirect(f"//{settings.MAIN_DOMAIN}{settings.LOGIN_URL}?next=//{website.domain}{self.webpath.get_full_path()}") + elif access_level == '2' or self.request.user.is_superuser: + pass + elif getattr(self.request.user, access_level, None): + pass + else: + raise PermissionDenied diff --git a/src/cms/contexts/utils.py b/src/cms/contexts/utils.py index a1db29dd..35d712dc 100644 --- a/src/cms/contexts/utils.py +++ b/src/cms/contexts/utils.py @@ -7,13 +7,13 @@ # from django.contrib.admin.models import LogEntry, CHANGE from django.contrib.admin.models import CHANGE from django.contrib.contenttypes.models import ContentType +from django.template.loader import get_template, render_to_string +from django.template.exceptions import (TemplateDoesNotExist, + TemplateSyntaxError) from django.utils import translation from django.utils.module_loading import import_string from django.utils.translation import gettext as _ from django.utils.safestring import mark_safe -from django.template.loader import get_template, render_to_string -from django.template.exceptions import (TemplateDoesNotExist, - TemplateSyntaxError) from cms.templates.models import Log diff --git a/src/cms/contexts/views.py b/src/cms/contexts/views.py index 798c9bd3..9f353384 100644 --- a/src/cms/contexts/views.py +++ b/src/cms/contexts/views.py @@ -37,6 +37,7 @@ app_settings.SITEMAP_WEBPATHS_PRIORITY) ROBOTS_SETTINGS = getattr(settings, 'ROBOTS_SETTINGS', app_settings.ROBOTS_SETTINGS) + def _get_site_from_host(request): requested_site = re.match(r'^[a-zA-Z0-9\.\-\_]*', request.get_host()).group() diff --git a/src/cms/publications/handlers.py b/src/cms/publications/handlers.py index c8e7fa8f..bab6366c 100644 --- a/src/cms/publications/handlers.py +++ b/src/cms/publications/handlers.py @@ -42,6 +42,8 @@ def __init__(self, **kwargs): self.webpath = self.pub_context.webpath def as_view(self): + super(PublicationViewHandler, self).as_view() + if not self.pub_context: return Http404() # i18n @@ -90,6 +92,8 @@ def breadcrumbs(self): return (leaf,) def as_view(self): + super(PublicationListHandler, self).as_view() + category = None category_name = self.request.GET.get('category_name') if category_name: @@ -194,6 +198,8 @@ def item_extra_kwargs(self, item): return {'content_encoded': self.item_content_encoded(item)} def as_view(self): + super(PublicationRssHandler, self).as_view() + match_dict = self.match.groupdict() self.page = Page.objects.filter(is_active=True, webpath__site=self.website,