limit downloading of from data based on permissions

eHealthAfrica · Jan 29, 2015 · abf894c · abf894c
1 parent dc22782
commit abf894c
Show file tree

Hide file tree

Showing 8 changed files with 59 additions and 27 deletions.
diff --git a/main/templates/dashboard.html b/main/templates/dashboard.html
@@ -102,7 +102,7 @@ <h4>{{ user_surveys|intcomma }}</h4>
     </div>
 </div>
 </section>
-{% include "published_surveys.html" %}
+{% include "published_surveys.html" with request=request %}
 <p>
 {% blocktrans with odk_url=odk_url %}
 The url "of" this web application <strong>{{ odk_url }}</strong>

diff --git a/main/templates/profile.html b/main/templates/profile.html
@@ -1,5 +1,5 @@
 {% extends 'base.html' %}
-{% load i18n %}
+{% load i18n guardian_tags %}
 
 {% block content %}
     {% if show_dashboard %}
@@ -92,6 +92,12 @@ <h3>{% blocktrans %}Shared Forms & Public Data <small>({{ num_forms }})</small>{
                 <td>
             {% if form.shared_data %}
                 {% if form.submission_count %}
+                  {% get_obj_perms request.user for form as "form_perms" %}
+                  {% if "change_xform" in form_perms %}
+                    NOOO
+                  {% endif %}
+
+
                 <div class="data-download">
                   <span class="vertical-middle">
                     <i class="icon-download icon-large"></i>

diff --git a/main/templates/published_surveys.html b/main/templates/published_surveys.html
@@ -1,4 +1,4 @@
-{% load humanize %}
+{% load humanize guardian_tags %}
 {% load i18n %}
 {% if all_forms or forms_shared_with or crowdforms%}
 
@@ -75,6 +75,8 @@ <h3>{{ message.published_survey.title }} - {% trans "Preview" %}</h3>
         </td>
         <td>
             {% if  not xform.encrypted and submission_count %}
+              {% get_obj_perms user for xform as "form_perms" %}
+              {% if "change_xform" in form_perms %}
                 <a href="{% url "odk_viewer.views.export_list"  xform.user.username xform.id_string 'csv' %}" class="download"><i class="icon-file-alt"></i> csv</a>
                 <a href="{% url "odk_viewer.views.export_list"  xform.user.username xform.id_string 'xls' %}" class="download"><i class="icon-table"></i> xls</a>
                 {% if has_surveys_with_geopoints %}
@@ -86,6 +88,9 @@ <h3>{{ message.published_survey.title }} - {% trans "Preview" %}</h3>
                 {% if xform.encrypted %}
                     <span class="label label-important icon-lock label-encrypted">&nbsp;&nbsp;{%  trans "ENCRYPTED" %}</span>
                 {% endif %}
+              {% else %}
+                {% trans 'Downloads unavailable' %}
+              {% endif %}
             {% endif %}
         </td>
         <td>

diff --git a/odk_logger/admin.py b/odk_logger/admin.py
@@ -16,7 +16,7 @@ def queryset(self, request):
         return qs.filter(user=request.user)
 
     list_filter = ('date_modified', 'form_active', 'user',)
-    search_fields = ['user__username', 'id']
+    search_fields = ['user__username', 'title']
 
 
 

diff --git a/odk_logger/models/xform.py b/odk_logger/models/xform.py
@@ -159,8 +159,8 @@ def save(self, *args, **kwargs):
         super(XForm, self).save(*args, **kwargs)
         if self.pk != original_pk:
             print "Setting perms for ", self.pk
-            #for perm in get_perms_for_model(XForm):
-            #    assign_perm(perm.codename, self.user, self)
+            for perm in get_perms_for_model(XForm):
+                assign_perm(perm.codename, self.user, self)
 
 
     def __unicode__(self):

diff --git a/odk_viewer/views.py b/odk_viewer/views.py
@@ -236,8 +236,10 @@ def data_export(request, username, id_string, export_type):
     owner = get_object_or_404(User, username=username)
     xform = get_object_or_404(XForm, id_string=id_string, user=owner)
     helper_auth_helper(request)
-    if not has_permission(xform, owner, request):
-        return HttpResponseForbidden(_(u'Not shared.'))
+    can_edit =  request.user.has_perm('odk_logger.change_xform', xform)
+    if not can_edit:
+        return HttpResponseForbidden(_(u'You do not have permission to export '
+                                        'this form'))
     query = request.GET.get("query")
     extension = export_type
 
@@ -319,8 +321,10 @@ def data_export(request, username, id_string, export_type):
 def create_export(request, username, id_string, export_type):
     owner = get_object_or_404(User, username=username)
     xform = get_object_or_404(XForm, id_string=id_string, user=owner)
-    if not has_permission(xform, owner, request):
-        return HttpResponseForbidden(_(u'Not shared.'))
+    can_edit =  request.user.has_perm('odk_logger.change_xform', xform)
+    if not can_edit:
+        return HttpResponseForbidden(_(u'You do not have permission to export '
+                                        'this form'))
 
     query = request.POST.get("query")
     force_xlsx = request.POST.get('xls') != 'true'
@@ -386,6 +390,15 @@ def _get_google_token(request, redirect_to_url):
 
 
 def export_list(request, username, id_string, export_type):
+    owner = get_object_or_404(User, username=username)
+    xform = get_object_or_404(XForm, id_string=id_string, user=owner)
+    if not has_permission(xform, owner, request):
+        return HttpResponseForbidden(_(u'Not shared.'))
+
+    can_edit =  request.user.has_perm('odk_logger.change_xform', xform)
+    if not can_edit:
+        return HttpResponseForbidden(_(u'You do not have permission to export '
+                                        'this form'))
     if export_type == Export.GDOC_EXPORT:
         redirect_url = reverse(
             export_list,
@@ -395,11 +408,6 @@ def export_list(request, username, id_string, export_type):
         token = _get_google_token(request, redirect_url)
         if isinstance(token, HttpResponse):
             return token
-    owner = get_object_or_404(User, username=username)
-    xform = get_object_or_404(XForm, id_string=id_string, user=owner)
-    if not has_permission(xform, owner, request):
-        return HttpResponseForbidden(_(u'Not shared.'))
-
     # This creates an automatic export when they system believes there is no existing download available
     # or if the available downloads are considered outdated.
     #
@@ -486,6 +494,10 @@ def export_progress(request, username, id_string, export_type):
 def export_download(request, username, id_string, export_type, filename):
     owner = get_object_or_404(User, username=username)
     xform = get_object_or_404(XForm, id_string=id_string, user=owner)
+    can_edit =  request.user.has_perm('odk_logger.change_xform', xform)
+    if not can_edit:
+        return HttpResponseForbidden(_(u'You do not have permission to export '
+                                        'this form'))
     helper_auth_helper(request)
     if not has_permission(xform, owner, request):
         return HttpResponseForbidden(_(u'Not shared.'))
@@ -562,6 +574,10 @@ def delete_export(request, username, id_string, export_type):
 def zip_export(request, username, id_string):
     owner = get_object_or_404(User, username=username)
     xform = get_object_or_404(XForm, id_string=id_string, user=owner)
+    can_edit =  request.user.has_perm('odk_logger.change_xform', xform)
+    if not can_edit:
+        return HttpResponseForbidden(_(u'You do not have permission to export '
+                                        'this form'))
     helper_auth_helper(request)
     if not has_permission(xform, owner, request):
         return HttpResponseForbidden(_(u'Not shared.'))
@@ -600,6 +616,10 @@ def kml_export(request, username, id_string):
     context.message = "HELLO!!"
     owner = get_object_or_404(User, username=username)
     xform = get_object_or_404(XForm, id_string=id_string, user=owner)
+    can_edit =  request.user.has_perm('odk_logger.change_xform', xform)
+    if not can_edit:
+        return HttpResponseForbidden(_(u'You do not have permission to export '
+                                        'this form'))
     helper_auth_helper(request)
     if not has_permission(xform, owner, request):
         return HttpResponseForbidden(_(u'Not shared.'))
@@ -630,6 +650,12 @@ def kml_export(request, username, id_string):
 
 
 def google_xls_export(request, username, id_string):
+    owner = get_object_or_404(User, username=username)
+    xform = get_object_or_404(XForm, id_string=id_string, user=owner)
+    can_edit =  request.user.has_perm('odk_logger.change_xform', xform)
+    if not can_edit:
+        return HttpResponseForbidden(_(u'You do not have permission to export '
+                                        'this form'))
     token = None
     if request.user.is_authenticated():
         try:
@@ -645,8 +671,6 @@ def google_xls_export(request, username, id_string):
             google_xls_export,
             kwargs={'username': username, 'id_string': id_string})
         return HttpResponseRedirect(redirect_uri)
-    owner = get_object_or_404(User, username=username)
-    xform = get_object_or_404(XForm, id_string=id_string, user=owner)
     if not has_permission(xform, owner, request):
         return HttpResponseForbidden(_(u'Not shared.'))
     valid, dd = dd_for_params(id_string, owner, request)
@@ -715,15 +739,9 @@ def attachment_url(request, size='medium'):
 
     if not attachment.mimetype.startswith('image'):
         return redirect(attachment.media_file.url)
-    try:
-        media_url = image_url(attachment, size)
-    except:
-        # TODO: log this somewhere
-        # image not found, 404, S3ResponseError timeouts
-        pass
-    else:
-        if media_url:
-            return redirect(media_url)
+    media_url = image_url(attachment, size)
+    if media_url:
+        return redirect(media_url)
     return HttpResponseNotFound(_(u'Error: Attachment not found'))
 
 

diff --git a/utils/user_auth.py b/utils/user_auth.py
@@ -94,7 +94,7 @@ def get_xform_and_perms(username, id_string, request):
     xform = get_object_or_404(
         XForm, user__username=username, id_string=id_string)
     is_owner = xform.user == request.user
-    can_edit =  request.user.has_perm('odk_logger.change_xform', xform)
+    can_edit =request.user.has_perm('odk_logger.change_xform', xform)
     can_view = can_edit or\
         request.user.has_perm('odk_logger.view_xform', xform)
     return [xform, is_owner, can_edit, can_view]

diff --git a/utils/viewer_tools.py b/utils/viewer_tools.py
@@ -176,6 +176,9 @@ def enketo_url(form_url, id_string, instance_xml=None,
 
     req = requests.post(url, data=values,
                         auth=(settings.ENKETO_API_TOKEN, '')) #, verify=False)
+    import pprint
+    pprint.pprint(url)
+    pprint.pprint(req.json())
     if req.status_code in [200, 201]:
         try:
             response = req.json()