From 60338554383d35d44ef1ef8538c2a9415021c60b Mon Sep 17 00:00:00 2001
From: Guillaume Pellerin <yomguy@parisson.com>
Date: Fri, 19 Dec 2014 10:44:15 +0100
Subject: [PATCH] add security perms for views

---
 telemeta/views/collection.py | 15 ++++++++++++++-
 telemeta/views/core.py       |  2 +-
 telemeta/views/item.py       | 16 ++++++++++++++--
 telemeta/views/resource.py   | 21 +++++++++++++++++++++
 4 files changed, 50 insertions(+), 4 deletions(-)

diff --git a/telemeta/views/collection.py b/telemeta/views/collection.py
index db5916eb..252ee112 100644
--- a/telemeta/views/collection.py
+++ b/telemeta/views/collection.py
@@ -324,6 +324,10 @@ class CollectionEditView(CollectionViewMixin, UpdateWithInlinesView):
         context['collection'] = collection
         return context
 
+    @method_decorator(permission_required('telemeta.change_mediacollection'))
+    def dispatch(self, *args, **kwargs):
+        return super(CollectionEditView, self).dispatch(*args, **kwargs)
+
 
 class CollectionAddView(CollectionViewMixin, CreateWithInlinesView):
 
@@ -333,6 +337,10 @@ class CollectionAddView(CollectionViewMixin, CreateWithInlinesView):
     def get_success_url(self):
         return reverse_lazy('telemeta-collection-detail', kwargs={'public_id':self.object.code})
 
+    @method_decorator(permission_required('telemeta.add_mediacollection'))
+    def dispatch(self, *args, **kwargs):
+        return super(CollectionAddView, self).dispatch(*args, **kwargs)
+
 
 class CollectionCopyView(CollectionAddView):
 
@@ -348,4 +356,9 @@ class CollectionCopyView(CollectionAddView):
         context = super(CollectionCopyView, self).get_context_data(**kwargs)
         collection = self.get_object()
         context['collection'] = collection
-        return context
\ No newline at end of file
+        return context
+
+    @method_decorator(permission_required('telemeta.add_mediacollection'))
+    def dispatch(self, *args, **kwargs):
+        return super(CollectionCopyView, self).dispatch(*args, **kwargs)
+
diff --git a/telemeta/views/core.py b/telemeta/views/core.py
index e69e6097..c98f3ade 100644
--- a/telemeta/views/core.py
+++ b/telemeta/views/core.py
@@ -52,7 +52,7 @@ from django.utils.decorators import method_decorator
 from django.contrib.auth import authenticate, login
 from django.template import RequestContext, loader
 from django import template
-from django.http import HttpResponse, HttpResponseRedirect
+from django.http import HttpResponse, HttpResponseRedirect, StreamingHttpResponse
 from django.http import Http404
 from django.shortcuts import render_to_response, redirect, get_object_or_404
 from django.views.generic import *
diff --git a/telemeta/views/item.py b/telemeta/views/item.py
index c70bebaa..0daabfa3 100644
--- a/telemeta/views/item.py
+++ b/telemeta/views/item.py
@@ -585,10 +585,10 @@ class ItemView(ItemBaseMixin):
                     metadata=None
                 proc.set_metadata(metadata)
 
-                response = HttpResponse(stream_from_processor(decoder, proc, flag), mimetype = mime_type)
+                response = HttpResponse(stream_from_processor(decoder, proc, flag), mimetype=mime_type)
             else:
                 # cache > stream
-                response = HttpResponse(self.cache_export.read_stream_bin(file), mimetype = mime_type)
+                response = HttpResponse(self.cache_export.read_stream_bin(file), mimetype=mime_type)
 
         response['Content-Disposition'] = 'attachment'
         return response
@@ -764,6 +764,10 @@ class ItemEditView(ItemViewMixin, UpdateWithInlinesView):
         context['auto_zoom'] = True
         return context
 
+    @method_decorator(permission_required('telemeta.change_mediaitem'))
+    def dispatch(self, *args, **kwargs):
+        return super(ItemEditView, self).dispatch(*args, **kwargs)
+
 
 class ItemAddView(ItemViewMixin, CreateWithInlinesView):
 
@@ -786,6 +790,10 @@ class ItemAddView(ItemViewMixin, CreateWithInlinesView):
     def get_success_url(self):
         return reverse_lazy('telemeta-item-detail', kwargs={'public_id':self.object.code})
 
+    @method_decorator(permission_required('telemeta.add_mediaitem'))
+    def dispatch(self, *args, **kwargs):
+        return super(ItemAddView, self).dispatch(*args, **kwargs)
+
 
 class ItemCopyView(ItemAddView):
 
@@ -812,6 +820,10 @@ class ItemCopyView(ItemAddView):
         context['auto_zoom'] = True
         return context
 
+    @method_decorator(permission_required('telemeta.add_mediaitem'))
+    def dispatch(self, *args, **kwargs):
+        return super(ItemCopyView, self).dispatch(*args, **kwargs)
+
 
 class ItemDetailView(ItemViewMixin, DetailView):
 
diff --git a/telemeta/views/resource.py b/telemeta/views/resource.py
index a4ab498e..710618c4 100644
--- a/telemeta/views/resource.py
+++ b/telemeta/views/resource.py
@@ -300,6 +300,11 @@ class ResourceAddView(ResourceMixin, CreateView):
     def get_success_url(self):
         return reverse_lazy('telemeta-resource-list', kwargs={'type':self.kwargs['type']})
 
+    @method_decorator(permission_required('telemeta.add_mediacorpus'))
+    @method_decorator(permission_required('telemeta.add_mediafonds'))
+    def dispatch(self, *args, **kwargs):
+        return super(ResourceAddView, self).dispatch(*args, **kwargs)
+
 
 class ResourceCopyView(ResourceSingleMixin, ResourceAddView):
 
@@ -312,6 +317,11 @@ class ResourceCopyView(ResourceSingleMixin, ResourceAddView):
         return reverse_lazy('telemeta-resource-list', kwargs={'type':self.kwargs['type']})
         # return reverse_lazy('telemeta-resource-detail', kwargs={'type':self.kwargs['type'], 'public_id':self.kwargs['public_id']})
 
+    @method_decorator(permission_required('telemeta.add_mediacorpus'))
+    @method_decorator(permission_required('telemeta.add_mediafonds'))
+    def dispatch(self, *args, **kwargs):
+        return super(ResourceCopyView, self).dispatch(*args, **kwargs)
+
 
 class ResourceDeleteView(ResourceSingleMixin, DeleteView):
 
@@ -320,6 +330,11 @@ class ResourceDeleteView(ResourceSingleMixin, DeleteView):
     def get_success_url(self):
          return reverse_lazy('telemeta-resource-list', kwargs={'type':self.kwargs['type']})
 
+    @method_decorator(permission_required('telemeta.delete_mediacorpus'))
+    @method_decorator(permission_required('telemeta.delete_mediafonds'))
+    def dispatch(self, *args, **kwargs):
+        return super(ResourceDeleteView, self).dispatch(*args, **kwargs)
+
 
 class ResourceEditView(ResourceSingleMixin, UpdateWithInlinesView):
 
@@ -327,3 +342,9 @@ class ResourceEditView(ResourceSingleMixin, UpdateWithInlinesView):
 
     def get_success_url(self):
         return reverse_lazy('telemeta-resource-detail', kwargs={'type':self.kwargs['type'], 'public_id':self.kwargs['public_id']})
+
+    @method_decorator(permission_required('telemeta.change_mediacorpus'))
+    @method_decorator(permission_required('telemeta.change_mediafonds'))
+    def dispatch(self, *args, **kwargs):
+        return super(ResourceEditView, self).dispatch(*args, **kwargs)
+
-- 
2.39.5