From: yomguy Date: Thu, 14 Jun 2012 15:16:45 +0000 (+0200) Subject: security fix for document access X-Git-Tag: 0.5.4~1 X-Git-Url: https://git.parisson.com/?a=commitdiff_plain;h=ef36378d1dbef6cf2ddd86722fa319713f70dd62;p=teleforma.git security fix for document access --- diff --git a/teleforma/templates/teleforma/course_document.html b/teleforma/templates/teleforma/course_document.html index 18cacf11..a88f1ff5 100644 --- a/teleforma/templates/teleforma/course_document.html +++ b/teleforma/templates/teleforma/course_document.html @@ -55,12 +55,19 @@ PDFJS.getDocument('{% url teleforma-document-download document.id %}').then(func {% block course %}
-
{{ document.title }}{% if document.description %} - {{ document.description }}{% endif %} +
{{ document.course.title }}{% for type in document.course_type.all%} - {{ type }}{% endfor %}{% if document.type %} - {{ document.type }}{% endif %}
+{% if document.title %}

{{ document.title }}

{% endif %}
+{% if not access %} +

{{ access_error }}

+

{{ message }}

+ +{% else %}
+{% endif %} {% block general_info %}
diff --git a/teleforma/templates/teleforma/inc/document_list.html b/teleforma/templates/teleforma/inc/document_list.html index 04de9caa..42ad3422 100644 --- a/teleforma/templates/teleforma/inc/document_list.html +++ b/teleforma/templates/teleforma/inc/document_list.html @@ -22,7 +22,7 @@ {% for document in course.document.all|from_course_type:type|from_doc_type:doc_type %} - {% if document.file %}{% endif %}{{ document.title }}{% if document.file %}{% endif %} + {% if document.file %}{% endif %}{{ document.title }}{% if document.file %}{% endif %} {% if document.is_annal %} yes  diff --git a/teleforma/urls.py b/teleforma/urls.py index ef785f15..86af5fbd 100644 --- a/teleforma/urls.py +++ b/teleforma/urls.py @@ -44,6 +44,7 @@ from jsonrpc import jsonrpc_site htdocs_forma = os.path.dirname(__file__) + '/static/teleforma/' user_export = UsersXLSExport() profile_view = ProfileView() +document = DocumentView() urlpatterns = patterns('', # url(r'^$', HomeView.as_view(), name='teleforma-home'), @@ -53,13 +54,19 @@ urlpatterns = patterns('', # Telemeta url(r'^', include('telemeta.urls')), + # Desk url(r'^desk/$', CoursesView.as_view(), name="teleforma-desk"), url(r'^desk/courses/(?P.*)/$', CourseView.as_view(), name="teleforma-course-detail"), url(r'^desk/medias/(?P.*)/$', MediaView.as_view(), name="teleforma-media-detail"), - url(r'^desk/documents/(?P.*)/view/$', document_view, name="teleforma-document-detail"), - url(r'^desk/documents/(?P.*)/download/$', document_download, name="teleforma-document-download"), + url(r'^desk/documents/(?P.*)/detail/$', DocumentView.as_view(), + name="teleforma-document-detail"), + url(r'^desk/documents/(?P.*)/download/$', document.download, + name="teleforma-document-download"), + url(r'^desk/documents/(?P.*)/view/$', document.view, + name="teleforma-document-view"), # url(r'^desk/documents/(?P.*)/view/$', document_view, name="teleforma-document-view"), - url(r'^desk/conferences/(?P.*)/$', ConferenceView.as_view(), name="teleforma-conference-detail"), + url(r'^desk/conferences/(?P.*)/$', ConferenceView.as_view(), + name="teleforma-conference-detail"), # Postman url(r'^messages/', include('postman.urls')), @@ -72,13 +79,15 @@ urlpatterns = patterns('', url(r'^users/all/export/$', user_export.all, name="teleforma-users-xls-export"), url(r'^users/by_training/(\w+)/$', UsersTrainingView.as_view(), name="teleforma-training-users"), - url(r'^users/by_training/(?P.*)/export/$', user_export.by_training, name="teleforma-training-users-export"), + url(r'^users/by_training/(?P.*)/export/$', user_export.by_training, + name="teleforma-training-users-export"), url(r'^users/by_iej/(\w+)/$', UsersIejView.as_view(), name="teleforma-iej-users"), url(r'^users/by_iej/(?P.*)/export/$', user_export.by_iej, name="teleforma-iej-users-export"), url(r'^users/by_course/(\w+)/$', UsersCourseView.as_view(), name="teleforma-course-users"), - url(r'^users/by_course/(?P.*)/export/$', user_export.by_course, name="teleforma-course-users-export"), + url(r'^users/by_course/(?P.*)/export/$', user_export.by_course, + name="teleforma-course-users-export"), # CSS+Images (FIXME: for developement only) diff --git a/teleforma/views.py b/teleforma/views.py index b8fefac7..0122efb2 100755 --- a/teleforma/views.py +++ b/teleforma/views.py @@ -118,23 +118,6 @@ def stream_from_file(__file): break yield __chunk -def document_download(request, pk): - document = Document.objects.get(id=pk) - fsock = open(document.file.path, 'r') - mimetype = mimetypes.guess_type(document.file.path)[0] - extension = mimetypes.guess_extension(mimetype) - response = HttpResponse(fsock, mimetype=mimetype) - response['Content-Disposition'] = "attachment; filename=%s%s" % \ - (document.title.encode('utf8'), extension) - return response - -def document_view(request, pk): - document = Document.objects.get(id=pk) - fsock = open(document.file.path, 'r') - mimetype = mimetypes.guess_type(document.file.path)[0] - extension = mimetypes.guess_extension(mimetype) - response = HttpResponse(fsock, mimetype=mimetype) - return response def get_room(content_type=None, id=None, name=None): rooms = jqchat.models.Room.objects.filter(content_type=content_type, @@ -224,10 +207,21 @@ class DocumentView(DetailView): model = Document template_name='teleforma/course_document.html' + access_error = ugettext('Access not allowed') + message = ugettext('Please login or contact the website administator to get a private access.') + + + def get_access(self, obj, courses): + access = False + for course in courses: + if obj.course == course['course']: + access = True + return access def get_context_data(self, **kwargs): context = super(DocumentView, self).get_context_data(**kwargs) - context['courses'] = get_courses(self.request.user) + all_courses = get_courses(self.request.user) + context['all_courses'] = all_courses document = self.get_object() # context['mime_type'] = view.item_analyze(media.item) context['course'] = document.course @@ -235,12 +229,42 @@ class DocumentView(DetailView): content_type = ContentType.objects.get(app_label="teleforma", model="document") context['room'] = get_room(name=document.title, content_type=content_type, id=document.id) + access = self.get_access(document, all_courses) + if not access: + context['access_error'] = self.access_error + context['message'] = self.message return context @method_decorator(login_required) def dispatch(self, *args, **kwargs): return super(DocumentView, self).dispatch(*args, **kwargs) + def download(self, request, pk): + courses = get_courses(request.user) + document = Document.objects.get(id=pk) + if self.get_access(document, courses): + fsock = open(document.file.path, 'r') + mimetype = mimetypes.guess_type(document.file.path)[0] + extension = mimetypes.guess_extension(mimetype) + response = HttpResponse(fsock, mimetype=mimetype) + response['Content-Disposition'] = "attachment; filename=%s%s" % \ + (document.title.encode('utf8'), extension) + return response + else: + return redirect('teleforma-document-detail', document.id) + + def view(self, request, pk): + courses = get_courses(request.user) + document = Document.objects.get(id=pk) + if self.get_access(document, courses): + fsock = open(document.file.path, 'r') + mimetype = mimetypes.guess_type(document.file.path)[0] + extension = mimetypes.guess_extension(mimetype) + response = HttpResponse(fsock, mimetype=mimetype) + return response + else: + return redirect('teleforma-document-detail', document.id) + class ConferenceView(DetailView): model = Conference