From: Guillaume Pellerin <yomguy@parisson.com>
Date: Fri, 5 Jul 2013 00:15:54 +0000 (+0200)
Subject: fix security access by period to course list and detail
X-Git-Tag: 1.1~597
X-Git-Url: https://git.parisson.com/?a=commitdiff_plain;h=ab0fd94e8aff7d8f2db4f87fcdd23d0891211588;p=teleforma.git

fix security access by period to course list and detail
---

diff --git a/teleforma/templates/teleforma/courses.html b/teleforma/templates/teleforma/courses.html
index f8d82139..abca6dfd 100644
--- a/teleforma/templates/teleforma/courses.html
+++ b/teleforma/templates/teleforma/courses.html
@@ -65,7 +65,9 @@ $(document).ready(function(){
 
 
 {% block course %}
+
 <div class="desk_center">
+
     {% for c in object_list %}
      {% with c.course as course %}
       {% for type in c.types %}
diff --git a/teleforma/views/core.py b/teleforma/views/core.py
index 7ad7870a..94155ced 100644
--- a/teleforma/views/core.py
+++ b/teleforma/views/core.py
@@ -204,14 +204,27 @@ class CourseView(DetailView):
         return super(CourseView, self).dispatch(*args, **kwargs)
 
 
-class PeriodCourseView(CourseView):
+class PeriodAccessMixin(object):
+
+    def render_to_response(self, context):
+        period = context['period']
+        if not period in get_periods(self.request.user):
+            messages.warning(self.request, _("You do NOT have access to this resource and then have been redirected to your desk."))
+            return redirect('teleforma-home')
+        return super(PeriodAccessMixin, self).render_to_response(context)
+
+
+class PeriodCourseView(PeriodAccessMixin, CourseView):
 
     def get_context_data(self, **kwargs):
         context = super(PeriodCourseView, self).get_context_data(**kwargs)
-        context['period'] = Period.objects.get(id=int(self.kwargs['period_id']))
+        self.period = None
+        period = Period.objects.filter(id=int(self.kwargs['period_id']))
+        if period:
+            self.period = period[0]
+        context['period'] = self.period
         return context
 
-
 class CoursesView(ListView):
 
     model = Course
@@ -234,10 +247,14 @@ class CoursesView(ListView):
         return super(CoursesView, self).dispatch(*args, **kwargs)
 
 
-class PeriodListView(CoursesView):
+class PeriodListView(PeriodAccessMixin, CoursesView):
 
     def get_queryset(self):
-        self.period = Period.objects.get(id=int(self.kwargs['period_id']))
+        self.period = None
+        period = Period.objects.filter(id=int(self.kwargs['period_id']))
+        if period:
+            self.period = period[0]
+
         self.all_courses = get_courses(self.request.user, date_order=True, period=self.period)
         return self.all_courses[:5]