projects
/
cascardo
/
ema.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
904c8cb
)
preventing unwanted users to see private info
author
Lincoln de Sousa
<lincoln@minaslivre.org>
Tue, 1 Jul 2008 18:37:51 +0000
(15:37 -0300)
committer
Lincoln de Sousa
<lincoln@minaslivre.org>
Tue, 1 Jul 2008 18:37:51 +0000
(15:37 -0300)
eventos/views.py
patch
|
blob
|
history
diff --git
a/eventos/views.py
b/eventos/views.py
index
a470952
..
97a13c9
100644
(file)
--- a/
eventos/views.py
+++ b/
eventos/views.py
@@
-23,6
+23,9
@@
from django.shortcuts import render_to_response, get_object_or_404
from django.template import RequestContext, Context, loader
from eventos.models import Palestrante, Trabalho
from django.template import RequestContext, Context, loader
from eventos.models import Palestrante, Trabalho
+forbidden = \
+ HttpResponseForbidden('<h2>You are not allowed to do this action.<h2>')
+
def login(request):
"""This is a function that will be used as a front-end to the
django's login system. It receives username and password fields
def login(request):
"""This is a function that will be used as a front-end to the
django's login system. It receives username and password fields
@@
-60,13
+63,12
@@
def lecturer_details(request, lid):
"""Shows a simple form containing all editable fields of a
lecturer and gives the lecturer the possibility to save them =)
"""
"""Shows a simple form containing all editable fields of a
lecturer and gives the lecturer the possibility to save them =)
"""
+ if not hasattr(request.user, 'palestrante_set'):
+ return forbidden
+
entity = request.user.palestrante_set.get()
entity = request.user.palestrante_set.get()
- # avoiding problems if some other user tries to edit the lecturer
- # info.
if entity.id != int(lid):
if entity.id != int(lid):
- return HttpResponseForbidden('<h2>You are not '
- 'allowed to edit '
- 'this info.<h2>')
+ return forbidden
FormKlass = form_for_instance(entity)
del FormKlass.base_fields['usuario']
FormKlass = form_for_instance(entity)
del FormKlass.base_fields['usuario']
@@
-83,9
+85,15
@@
def lecturer_talks(request, lid):
"""Lists all talks of a lecturer (based on lecturer id -- lid
parameter).
"""
"""Lists all talks of a lecturer (based on lecturer id -- lid
parameter).
"""
- lecturer = get_object_or_404(Palestrante, pk=lid)
- talks = Trabalho.objects.filter(palestrante=lecturer)
- c = {'lecturer': lecturer, 'talks': talks}
+ if not hasattr(request.user, 'palestrante_set'):
+ return forbidden
+
+ entity = request.user.palestrante_set.get()
+ if entity.id != int(lid):
+ return forbidden
+
+ talks = Trabalho.objects.filter(palestrante=entity)
+ c = {'lecturer': entity, 'talks': talks}
return render_to_response('eventos/talk-list.html', Context(c),
context_instance=RequestContext(request))
return render_to_response('eventos/talk-list.html', Context(c),
context_instance=RequestContext(request))
@@
-105,32
+113,42
@@
def talk_details(request, tid):
def talk_delete(request, tid):
"""Drops a talk but only if the logged in user is its owner.
"""
def talk_delete(request, tid):
"""Drops a talk but only if the logged in user is its owner.
"""
- entity = get_object_or_404(Trabalho, pk=tid)
- palestrante = request.user.palestrante_set.get()
- owner = Trabalho.objects.filter(pk=tid, palestrante=palestrante)
+ if not hasattr(request.user, 'palestrante_set'):
+ return forbidden
+
+ entity = request.user.palestrante_set.get()
+ if entity.id != int(lid):
+ return forbidden
+
+ owner = Trabalho.objects.filter(pk=tid, palestrante=entity)
if not owner:
if not owner:
- return HttpResponseForbidden('<h2>You are not '
- 'allowed to edit '
- 'this info.<h2>')
+ return forbidden
+
entity.delete()
entity.delete()
- return HttpResponseRedirect('/lecturer/%d/talks/' %
palestrante
.id)
+ return HttpResponseRedirect('/lecturer/%d/talks/' %
entity
.id)
def talk_add(request):
"""Shows a form to the lecturer send a talk
"""
def talk_add(request):
"""Shows a form to the lecturer send a talk
"""
- palestrante = request.user.palestrante_set.get()
+ if not hasattr(request.user, 'palestrante_set'):
+ return forbidden
+
+ entity = request.user.palestrante_set.get()
+ if entity.id != int(lid):
+ return forbidden
+
FormKlass = form_for_model(Trabalho)
form = FormKlass(request.POST or None)
FormKlass = form_for_model(Trabalho)
form = FormKlass(request.POST or None)
- other = Palestrante.objects.exclude(pk=
palestrante
.id)
+ other = Palestrante.objects.exclude(pk=
entity
.id)
form.fields['palestrante'].label = u'Outros Palestrantes'
form.fields['palestrante'].required = False
form.fields['palestrante']._set_queryset(other)
if request.POST and form.is_valid():
instance = form.save()
form.fields['palestrante'].label = u'Outros Palestrantes'
form.fields['palestrante'].required = False
form.fields['palestrante']._set_queryset(other)
if request.POST and form.is_valid():
instance = form.save()
- instance.palestrante.add(
palestrante
)
- return HttpResponseRedirect('/lecturer/%d/talks/' %
palestrante
.id)
+ instance.palestrante.add(
entity
)
+ return HttpResponseRedirect('/lecturer/%d/talks/' %
entity
.id)
c = {'form': form}
return render_to_response('eventos/talk-add.html', Context(c),
c = {'form': form}
return render_to_response('eventos/talk-add.html', Context(c),