security access fix for docs and medias

author yomguy <yomguy@parisson.com>

Thu, 14 Jun 2012 16:24:00 +0000 (18:24 +0200)

committer yomguy <yomguy@parisson.com>

Thu, 14 Jun 2012 16:24:00 +0000 (18:24 +0200)
author yomguy <yomguy@parisson.com>
Thu, 14 Jun 2012 16:24:00 +0000 (18:24 +0200)
committer yomguy <yomguy@parisson.com>
Thu, 14 Jun 2012 16:24:00 +0000 (18:24 +0200)
diff --git a/teleforma/templates/teleforma/course_document.html b/teleforma/templates/teleforma/course_document.html

index a88f1ff50413794d6a3ab628ce4c2fcbe9ec68be..e7f71d5d74c12e93be749c8386741bf1d1f2ec62 100644 (file)
--- a/teleforma/templates/teleforma/course_document.html
+++ b/teleforma/templates/teleforma/course_document.html
@@ -59,7 +59,7 @@ PDFJS.getDocument('{% url teleforma-document-download document.id %}').then(func
  {% if document.title %}<h4>{{ document.title }}</h4>{% endif %}
  </div>
  
-{% if not access %}
+{% if access_error %}
    <p>{{ access_error }}</p>
    <p>{{ message }}</p>
  
diff --git a/teleforma/templates/teleforma/course_media.html b/teleforma/templates/teleforma/course_media.html

index 770cae42fb27ca3c115b604da40589465fbd08d9..bf27a3dab5c57036a8ab62335153a69600cbe92a 100644 (file)
--- a/teleforma/templates/teleforma/course_media.html
+++ b/teleforma/templates/teleforma/course_media.html
@@ -25,6 +25,11 @@ $(document).ready(function(){
  <div class="course_title">{{ course.title }} - {{ type }}{% if course.description %} - {{ course.description }}{% endif %}{% if media.item %} - {{ media.item }}{% endif %}
  </div>
  
+{% if access_error %}
+  <p>{{ access_error }}</p>
+  <p>{{ message }}</p>
+
+{% else %}
  <div class="media">
  
  {% if "video" in mime_type %}
@@ -42,6 +47,7 @@ $(document).ready(function(){
  {% endif %}
  
  </div>
+{% endif %}
  
  {% block general_info %}
  <div class="course_content" id="media_infos">
diff --git a/teleforma/views.py b/teleforma/views.py

index 0122efb2d5ad8c955091aeb9635fd39957090562..2d6e023751aed59a3ecf82baa6b9ed07c0cf7f43 100755 (executable)
--- a/teleforma/views.py
+++ b/teleforma/views.py
@@ -131,6 +131,17 @@ def get_room(content_type=None, id=None, name=None):
      return room
  
  
+def get_access(obj, courses):
+    access = False
+    for course in courses:
+        if obj.course == course['course']:
+            access = True
+    return access
+
+access_error = ugettext('Access not allowed')
+contact_message = ugettext('Please login or contact the website administator to get a private access.')
+
+
  class CourseView(DetailView):
  
      model = Course
@@ -185,7 +196,8 @@ class MediaView(DetailView):
  
      def get_context_data(self, **kwargs):
          context = super(MediaView, self).get_context_data(**kwargs)
-        context['all_courses'] = get_courses(self.request.user)
+        all_courses = get_courses(self.request.user)
+        context['all_courses'] = all_courses
          media = self.get_object()
          view = ItemView()
          context['mime_type'] = view.item_analyze(media.item)
@@ -196,6 +208,10 @@ class MediaView(DetailView):
          content_type = ContentType.objects.get(app_label="teleforma", model="media")
          context['room'] = get_room(name=media.item.title, content_type=content_type,
                                     id=media.id)
+        access = get_access(media, all_courses)
+        if not access:
+            context['access_error'] = access_error
+            context['message'] = contact_message
          return context
  
      @method_decorator(login_required)
@@ -207,16 +223,7 @@ class DocumentView(DetailView):
  
      model = Document
      template_name='teleforma/course_document.html'
-    access_error = ugettext('Access not allowed')
-    message = ugettext('Please login or contact the website administator to get a private access.')
-
  
-    def get_access(self, obj, courses):
-        access = False
-        for course in courses:
-            if obj.course == course['course']:
-                access = True
-        return access
  
      def get_context_data(self, **kwargs):
          context = super(DocumentView, self).get_context_data(**kwargs)
@@ -229,10 +236,10 @@ class DocumentView(DetailView):
          content_type = ContentType.objects.get(app_label="teleforma", model="document")
          context['room'] = get_room(name=document.title, content_type=content_type,
                                     id=document.id)
-        access = self.get_access(document, all_courses)
+        access = get_access(document, all_courses)
          if not access:
-            context['access_error'] = self.access_error
-            context['message'] = self.message
+            context['access_error'] = access_error
+            context['message'] = contact_message
          return context
  
      @method_decorator(login_required)
@@ -242,7 +249,7 @@ class DocumentView(DetailView):
      def download(self, request, pk):
          courses = get_courses(request.user)
          document = Document.objects.get(id=pk)
-        if self.get_access(document, courses):
+        if get_access(document, courses):
              fsock = open(document.file.path, 'r')
              mimetype = mimetypes.guess_type(document.file.path)[0]
              extension = mimetypes.guess_extension(mimetype)
@@ -256,7 +263,7 @@ class DocumentView(DetailView):
      def view(self, request, pk):
          courses = get_courses(request.user)
          document = Document.objects.get(id=pk)
-        if self.get_access(document, courses):
+        if get_access(document, courses):
              fsock = open(document.file.path, 'r')
              mimetype = mimetypes.guess_type(document.file.path)[0]
              extension = mimetypes.guess_extension(mimetype)
author	yomguy <yomguy@parisson.com>
	Thu, 14 Jun 2012 16:24:00 +0000 (18:24 +0200)
committer	yomguy <yomguy@parisson.com>
	Thu, 14 Jun 2012 16:24:00 +0000 (18:24 +0200)
teleforma/templates/teleforma/course_document.html		patch \| blob \| history
teleforma/templates/teleforma/course_media.html		patch \| blob \| history
teleforma/views.py		patch \| blob \| history