django-authority/authority/views.py

from django.shortcuts import render_to_response, get_object_or_404
from django.http import HttpResponseRedirect, HttpResponseForbidden
from django.apps import apps
from django.utils.translation import ugettext as _
from django.template import loader
from django.contrib.auth.decorators import login_required

from authority.models import Permission
from authority.forms import UserPermissionForm
from authority.templatetags.permissions import url_for_obj


def get_next(request, obj=None):
    next = request.REQUEST.get("next")
    if not next:
        if obj and hasattr(obj, "get_absolute_url"):
            next = obj.get_absolute_url()
        else:
            next = "/"
    return next


@login_required
def add_permission(
    request,
    app_label,
    module_name,
    pk,
    approved=False,
    template_name="authority/permission_form.html",
    extra_context=None,
    form_class=UserPermissionForm,
):
    codename = request.POST.get("codename", None)
    try:
        model = apps.get_model(app_label, module_name)
    except LookupError:
        return permission_denied(request)
    obj = get_object_or_404(model, pk=pk)
    next = get_next(request, obj)
    if approved:
        if not request.user.has_perm("authority.add_permission"):
            return HttpResponseRedirect(
                url_for_obj("authority-add-permission-request", obj)
            )
        view_name = "authority-add-permission"
    else:
        view_name = "authority-add-permission-request"
    if request.method == "POST":
        if codename is None:
            return HttpResponseForbidden(next)
        form = form_class(
            data=request.POST,
            obj=obj,
            approved=approved,
            perm=codename,
            initial=dict(codename=codename),
        )
        if not approved:
            # Limit permission request to current user
            form.data["user"] = request.user
        if form.is_valid():
            form.save(request)
            request.user.message_set.create(
                message=_("You added a permission request.")
            )
            return HttpResponseRedirect(next)
    else:
        form = form_class(
            obj=obj, approved=approved, perm=codename, initial=dict(codename=codename)
        )
    context = {
        "form": form,
        "form_url": url_for_obj(view_name, obj),
        "next": next,
        "perm": codename,
        "approved": approved,
    }
    if extra_context:
        context.update(extra_context)
    return render_to_response(template_name, context, request)


@login_required
def approve_permission_request(request, permission_pk):
    requested_permission = get_object_or_404(Permission, pk=permission_pk)
    if request.user.has_perm("authority.approve_permission_requests"):
        requested_permission.approve(request.user)
        request.user.message_set.create(
            message=_("You approved the permission request.")
        )
    next = get_next(request, requested_permission)
    return HttpResponseRedirect(next)


@login_required
def delete_permission(request, permission_pk, approved):
    permission = get_object_or_404(Permission, pk=permission_pk, approved=approved)
    if (
        request.user.has_perm("authority.delete_foreign_permissions")
        or request.user == permission.creator
    ):
        permission.delete()
        if approved:
            msg = _("You removed the permission.")
        else:
            msg = _("You removed the permission request.")
        request.user.message_set.create(message=msg)
    next = get_next(request)
    return HttpResponseRedirect(next)


def permission_denied(request, template_name=None, extra_context=None):
    """
    Default 403 handler.

    Templates: `403.html`
    Context:
        request_path
            The path of the requested URL (e.g., '/app/pages/bad_page/')
    """
    if template_name is None:
        template_name = ("403.html", "authority/403.html")
    context = {
        "request_path": request.path,
    }
    if extra_context:
        context.update(extra_context)
    return HttpResponseForbidden(
        loader.render_to_string(
            template_name=template_name, context=context, request=request,
        )
    )