preventing unwanted users to see private info

[cascardo/ema.git] / eventos / views.py

# -*- coding: utf-8 -*-
# Copyright (C) 2008 Lincoln de Sousa <lincoln@minaslivre.org>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
# Boston, MA 02111-1307, USA.
from django.http import HttpResponseRedirect, HttpResponseForbidden
from django.contrib import auth
from django.contrib.auth.forms import AuthenticationForm
from django.newforms import form_for_instance, form_for_model
from django.shortcuts import render_to_response, get_object_or_404
from django.template import RequestContext, Context, loader
from eventos.models import Palestrante, Trabalho

forbidden = \
    HttpResponseForbidden('<h2>You are not allowed to do this action.<h2>')

def login(request):
    """This is a function that will be used as a front-end to the
    django's login system. It receives username and password fields
    from a POST request and tries to login the user.

    If login is successful, user will be redirected to the referer
    address, otherwise will be redirected to /?login_failed.
    """
    errors = {}
    manipulator = AuthenticationForm(request)
    if request.POST:
        errors = manipulator.get_validation_errors(request.POST)
        got_user = manipulator.get_user()
        if got_user:
            auth.login(request, got_user)
            try:
                request.session.delete_test_cookie()
            except KeyError:
                pass
            return HttpResponseRedirect('/')
        else:
            return HttpResponseRedirect('/?login_failed')

    request.session.set_test_cookie()
    return HttpResponseRedirect(request.META.get('HTTP_REFERER', '/'))

def logout(request):
    """Simple front-end to django's logout stuff. This function should
    be mapped to an url and simply called without any parameter.
    """
    auth.logout(request)
    return HttpResponseRedirect('/')

def lecturer_details(request, lid):
    """Shows a simple form containing all editable fields of a
    lecturer and gives the lecturer the possibility to save them =)
    """
    if not hasattr(request.user, 'palestrante_set'):
        return forbidden

    entity = request.user.palestrante_set.get()
    if entity.id != int(lid):
        return forbidden

    FormKlass = form_for_instance(entity)
    del FormKlass.base_fields['usuario']

    form = FormKlass(request.POST or None)
    if request.POST and form.is_valid():
        form.save()

    c = {'form': form}
    return render_to_response('eventos/lecturer-details.html', Context(c),
                              context_instance=RequestContext(request))

def lecturer_talks(request, lid):
    """Lists all talks of a lecturer (based on lecturer id -- lid
    parameter).
    """
    if not hasattr(request.user, 'palestrante_set'):
        return forbidden

    entity = request.user.palestrante_set.get()
    if entity.id != int(lid):
        return forbidden

    talks = Trabalho.objects.filter(palestrante=entity)
    c = {'lecturer': entity, 'talks': talks}
    return render_to_response('eventos/talk-list.html', Context(c),
                              context_instance=RequestContext(request))

def talk_details(request, tid):
    """Shows a form to edit a talk
    """
    entity = get_object_or_404(Trabalho, pk=tid)
    FormKlass = form_for_instance(entity)
    form = FormKlass(request.POST or None)
    if request.POST and form.is_valid():
        form.save()

    c = {'form': form}
    return render_to_response('eventos/talk-details.html', Context(c),
                              context_instance=RequestContext(request))

def talk_delete(request, tid):
    """Drops a talk but only if the logged in user is its owner.
    """
    if not hasattr(request.user, 'palestrante_set'):
        return forbidden

    entity = request.user.palestrante_set.get()
    if entity.id != int(lid):
        return forbidden

    owner = Trabalho.objects.filter(pk=tid, palestrante=entity)
    if not owner:
        return forbidden

    entity.delete()
    return HttpResponseRedirect('/lecturer/%d/talks/' % entity.id)

def talk_add(request):
    """Shows a form to the lecturer send a talk
    """
    if not hasattr(request.user, 'palestrante_set'):
        return forbidden

    entity = request.user.palestrante_set.get()
    if entity.id != int(lid):
        return forbidden

    FormKlass = form_for_model(Trabalho)
    form = FormKlass(request.POST or None)

    other = Palestrante.objects.exclude(pk=entity.id)
    form.fields['palestrante'].label = u'Outros Palestrantes'
    form.fields['palestrante'].required = False
    form.fields['palestrante']._set_queryset(other)

    if request.POST and form.is_valid():
        instance = form.save()
        instance.palestrante.add(entity)
        return HttpResponseRedirect('/lecturer/%d/talks/' % entity.id)

    c = {'form': form}
    return render_to_response('eventos/talk-add.html', Context(c),
                              context_instance=RequestContext(request))