From b26b2975b4205dbd79029ed3206a9268e433f4bb Mon Sep 17 00:00:00 2001 From: Lincoln de Sousa Date: Tue, 1 Jul 2008 15:37:51 -0300 Subject: [PATCH] preventing unwanted users to see private info --- eventos/views.py | 56 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 37 insertions(+), 19 deletions(-) diff --git a/eventos/views.py b/eventos/views.py index a470952..97a13c9 100644 --- a/eventos/views.py +++ b/eventos/views.py @@ -23,6 +23,9 @@ from django.shortcuts import render_to_response, get_object_or_404 from django.template import RequestContext, Context, loader from eventos.models import Palestrante, Trabalho +forbidden = \ + HttpResponseForbidden('

You are not allowed to do this action.

') + def login(request): """This is a function that will be used as a front-end to the django's login system. It receives username and password fields @@ -60,13 +63,12 @@ def lecturer_details(request, lid): """Shows a simple form containing all editable fields of a lecturer and gives the lecturer the possibility to save them =) """ + if not hasattr(request.user, 'palestrante_set'): + return forbidden + entity = request.user.palestrante_set.get() - # avoiding problems if some other user tries to edit the lecturer - # info. if entity.id != int(lid): - return HttpResponseForbidden('

You are not ' - 'allowed to edit ' - 'this info.

') + return forbidden FormKlass = form_for_instance(entity) del FormKlass.base_fields['usuario'] @@ -83,9 +85,15 @@ def lecturer_talks(request, lid): """Lists all talks of a lecturer (based on lecturer id -- lid parameter). """ - lecturer = get_object_or_404(Palestrante, pk=lid) - talks = Trabalho.objects.filter(palestrante=lecturer) - c = {'lecturer': lecturer, 'talks': talks} + if not hasattr(request.user, 'palestrante_set'): + return forbidden + + entity = request.user.palestrante_set.get() + if entity.id != int(lid): + return forbidden + + talks = Trabalho.objects.filter(palestrante=entity) + c = {'lecturer': entity, 'talks': talks} return render_to_response('eventos/talk-list.html', Context(c), context_instance=RequestContext(request)) @@ -105,32 +113,42 @@ def talk_details(request, tid): def talk_delete(request, tid): """Drops a talk but only if the logged in user is its owner. """ - entity = get_object_or_404(Trabalho, pk=tid) - palestrante = request.user.palestrante_set.get() - owner = Trabalho.objects.filter(pk=tid, palestrante=palestrante) + if not hasattr(request.user, 'palestrante_set'): + return forbidden + + entity = request.user.palestrante_set.get() + if entity.id != int(lid): + return forbidden + + owner = Trabalho.objects.filter(pk=tid, palestrante=entity) if not owner: - return HttpResponseForbidden('

You are not ' - 'allowed to edit ' - 'this info.

') + return forbidden + entity.delete() - return HttpResponseRedirect('/lecturer/%d/talks/' % palestrante.id) + return HttpResponseRedirect('/lecturer/%d/talks/' % entity.id) def talk_add(request): """Shows a form to the lecturer send a talk """ - palestrante = request.user.palestrante_set.get() + if not hasattr(request.user, 'palestrante_set'): + return forbidden + + entity = request.user.palestrante_set.get() + if entity.id != int(lid): + return forbidden + FormKlass = form_for_model(Trabalho) form = FormKlass(request.POST or None) - other = Palestrante.objects.exclude(pk=palestrante.id) + other = Palestrante.objects.exclude(pk=entity.id) form.fields['palestrante'].label = u'Outros Palestrantes' form.fields['palestrante'].required = False form.fields['palestrante']._set_queryset(other) if request.POST and form.is_valid(): instance = form.save() - instance.palestrante.add(palestrante) - return HttpResponseRedirect('/lecturer/%d/talks/' % palestrante.id) + instance.palestrante.add(entity) + return HttpResponseRedirect('/lecturer/%d/talks/' % entity.id) c = {'form': form} return render_to_response('eventos/talk-add.html', Context(c), -- 2.20.1