From 21b487d8e0b11b431d520427dd7feaea5fde0c32 Mon Sep 17 00:00:00 2001
From: yomguy <yomguy@parisson.com>
Date: Thu, 14 Jun 2012 18:24:00 +0200
Subject: [PATCH] security access fix for docs and medias

---
 .../templates/teleforma/course_document.html  |  2 +-
 .../templates/teleforma/course_media.html     |  6 +++
 teleforma/views.py                            | 37 +++++++++++--------
 3 files changed, 29 insertions(+), 16 deletions(-)

diff --git a/teleforma/templates/teleforma/course_document.html b/teleforma/templates/teleforma/course_document.html
index a88f1ff5..e7f71d5d 100644
--- a/teleforma/templates/teleforma/course_document.html
+++ b/teleforma/templates/teleforma/course_document.html
@@ -59,7 +59,7 @@ PDFJS.getDocument('{% url teleforma-document-download document.id %}').then(func
 {% if document.title %}<h4>{{ document.title }}</h4>{% endif %}
 </div>
 
-{% if not access %}
+{% if access_error %}
   <p>{{ access_error }}</p>
   <p>{{ message }}</p>
 
diff --git a/teleforma/templates/teleforma/course_media.html b/teleforma/templates/teleforma/course_media.html
index 770cae42..bf27a3da 100644
--- a/teleforma/templates/teleforma/course_media.html
+++ b/teleforma/templates/teleforma/course_media.html
@@ -25,6 +25,11 @@ $(document).ready(function(){
 <div class="course_title">{{ course.title }} - {{ type }}{% if course.description %} - {{ course.description }}{% endif %}{% if media.item %} - {{ media.item }}{% endif %}
 </div>
 
+{% if access_error %}
+  <p>{{ access_error }}</p>
+  <p>{{ message }}</p>
+
+{% else %}
 <div class="media">
 
 {% if "video" in mime_type %}
@@ -42,6 +47,7 @@ $(document).ready(function(){
 {% endif %}
 
 </div>
+{% endif %}
 
 {% block general_info %}
 <div class="course_content" id="media_infos">
diff --git a/teleforma/views.py b/teleforma/views.py
index 0122efb2..2d6e0237 100755
--- a/teleforma/views.py
+++ b/teleforma/views.py
@@ -131,6 +131,17 @@ def get_room(content_type=None, id=None, name=None):
     return room
 
 
+def get_access(obj, courses):
+    access = False
+    for course in courses:
+        if obj.course == course['course']:
+            access = True
+    return access
+
+access_error = ugettext('Access not allowed')
+contact_message = ugettext('Please login or contact the website administator to get a private access.')
+
+
 class CourseView(DetailView):
 
     model = Course
@@ -185,7 +196,8 @@ class MediaView(DetailView):
 
     def get_context_data(self, **kwargs):
         context = super(MediaView, self).get_context_data(**kwargs)
-        context['all_courses'] = get_courses(self.request.user)
+        all_courses = get_courses(self.request.user)
+        context['all_courses'] = all_courses
         media = self.get_object()
         view = ItemView()
         context['mime_type'] = view.item_analyze(media.item)
@@ -196,6 +208,10 @@ class MediaView(DetailView):
         content_type = ContentType.objects.get(app_label="teleforma", model="media")
         context['room'] = get_room(name=media.item.title, content_type=content_type,
                                    id=media.id)
+        access = get_access(media, all_courses)
+        if not access:
+            context['access_error'] = access_error
+            context['message'] = contact_message
         return context
 
     @method_decorator(login_required)
@@ -207,16 +223,7 @@ class DocumentView(DetailView):
 
     model = Document
     template_name='teleforma/course_document.html'
-    access_error = ugettext('Access not allowed')
-    message = ugettext('Please login or contact the website administator to get a private access.')
-
 
-    def get_access(self, obj, courses):
-        access = False
-        for course in courses:
-            if obj.course == course['course']:
-                access = True
-        return access
 
     def get_context_data(self, **kwargs):
         context = super(DocumentView, self).get_context_data(**kwargs)
@@ -229,10 +236,10 @@ class DocumentView(DetailView):
         content_type = ContentType.objects.get(app_label="teleforma", model="document")
         context['room'] = get_room(name=document.title, content_type=content_type,
                                    id=document.id)
-        access = self.get_access(document, all_courses)
+        access = get_access(document, all_courses)
         if not access:
-            context['access_error'] = self.access_error
-            context['message'] = self.message
+            context['access_error'] = access_error
+            context['message'] = contact_message
         return context
 
     @method_decorator(login_required)
@@ -242,7 +249,7 @@ class DocumentView(DetailView):
     def download(self, request, pk):
         courses = get_courses(request.user)
         document = Document.objects.get(id=pk)
-        if self.get_access(document, courses):
+        if get_access(document, courses):
             fsock = open(document.file.path, 'r')
             mimetype = mimetypes.guess_type(document.file.path)[0]
             extension = mimetypes.guess_extension(mimetype)
@@ -256,7 +263,7 @@ class DocumentView(DetailView):
     def view(self, request, pk):
         courses = get_courses(request.user)
         document = Document.objects.get(id=pk)
-        if self.get_access(document, courses):
+        if get_access(document, courses):
             fsock = open(document.file.path, 'r')
             mimetype = mimetypes.guess_type(document.file.path)[0]
             extension = mimetypes.guess_extension(mimetype)
-- 
2.39.5