autonomic-cooperative/ojuso-map
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

File permissions checks

Browse Source
This commit is contained in:
Carl van Tonder 2018-04-30 22:23:36 -04:00
parent e43c32b843
commit 6dc0b51fc3
5 changed files with 41 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/files/forms.py
View File

@ -6,4 +6,4 @@ from .models import File
class FileForm(forms.ModelForm): class FileForm(forms.ModelForm):
class Meta: class Meta:
model = File model = File
fields = '__all__' exclude = ['user',]

24
apps/files/migrations/0002_file_user.py Normal file
View File

@ -0,0 +1,24 @@
# -*- coding: utf-8 -*-
# Generated by Django 1.11.6 on 2018-04-29 22:07
from __future__ import unicode_literals
from django.conf import settings
from django.db import migrations, models
import django.db.models.deletion
class Migration(migrations.Migration):
dependencies = [
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
('files', '0001_initial'),
]
operations = [
migrations.AddField(
model_name='file',
name='user',
field=models.ForeignKey(default=1, on_delete=django.db.models.deletion.CASCADE, related_name='files', to=settings.AUTH_USER_MODEL),
preserve_default=False,
),
]

4
apps/files/models.py
View File

@ -1,3 +1,4 @@
from django.contrib.auth.models import User
from django.db import models from django.db import models
from apps.map.models import CaseStudy, CaseStudyDraft from apps.map.models import CaseStudy, CaseStudyDraft
@ -7,6 +8,9 @@ class BaseFile(models.Model):
file = models.FileField( file = models.FileField(
upload_to='.', upload_to='.',
) )
user = models.ForeignKey(
User, related_name='files'
)
class Meta: class Meta:
abstract = True abstract = True

23
apps/files/views.py
View File

@ -1,4 +1,5 @@
from django.shortcuts import render from django.core.exceptions import PermissionDenied
from django.contrib.auth.mixins import LoginRequiredMixin
from django.http import JsonResponse from django.http import JsonResponse
from django.shortcuts import render from django.shortcuts import render
from django.views.generic import FormView, DetailView from django.views.generic import FormView, DetailView
@ -6,16 +7,14 @@ from django.views.generic import FormView, DetailView
from .forms import FileForm from .forms import FileForm
from .models import File from .models import File
class FileUploadView(FormView): class FileUploadView(LoginRequiredMixin, FormView):
# FIXME require login
model = File model = File
form_class = FileForm form_class = FileForm
def form_valid(self, form): def form_valid(self, form):
self.object = form.save() self.object = form.save(commit=False)
self.object.user = self.request.user
# FIXME set File owner self.object.save()
return JsonResponse({ return JsonResponse({
'is_valid': True, 'url': self.object.file.url, 'is_valid': True, 'url': self.object.file.url,
@ -27,18 +26,18 @@ class FileUploadView(FormView):
return JsonResponse({'is_valid': False, 'errors': form.errors}) return JsonResponse({'is_valid': False, 'errors': form.errors})
class FileDeleteView(DetailView): class FileDeleteView(LoginRequiredMixin, DetailView):
# FIXME require login
model = File model = File
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
return self.post(request, *args, **kwargs) return self.post(request, *args, **kwargs)
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
# FIXME check file ownership
self.object = self.get_object() self.object = self.get_object()
if request.user != self.object.user:
raise PermissionDenied
self.object.delete() self.object.delete()
return JsonResponse({ return JsonResponse({

2
apps/map/views.py
View File

@ -119,7 +119,7 @@ class SpatialRefSysAutocomplete(autocomplete.Select2QuerySetView):
return qs return qs
class Drafts(View): class Drafts(LoginRequiredMixin, View):
"""Retrieve or save a draft.""" """Retrieve or save a draft."""
def get_object(self, request): def get_object(self, request):