From aa732a4ec0a5db4019cecf431a3a948d056504ef Mon Sep 17 00:00:00 2001 From: Skia Date: Mon, 7 Dec 2015 17:23:52 +0100 Subject: [PATCH] WIP: Add custom 403 and 404, but break a bit the permissions! To be fixed --- core/templates/core/403.html | 8 ++++++++ core/templates/core/404.html | 9 +++++++++ core/views/__init__.py | 29 ++++++++++++++++++++++++----- sith/urls.py | 3 +++ 4 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 core/templates/core/403.html create mode 100644 core/templates/core/404.html diff --git a/core/templates/core/403.html b/core/templates/core/403.html new file mode 100644 index 00000000..8e8c65a1 --- /dev/null +++ b/core/templates/core/403.html @@ -0,0 +1,8 @@ +{% extends "core/base.html" %} + +{% block content %} + +

403, Forbidden

+ +{% endblock %} + diff --git a/core/templates/core/404.html b/core/templates/core/404.html new file mode 100644 index 00000000..46d4abe2 --- /dev/null +++ b/core/templates/core/404.html @@ -0,0 +1,9 @@ +{% extends "core/base.html" %} + +{% block content %} + +

404, Not Found

+ +{% endblock %} + + diff --git a/core/views/__init__.py b/core/views/__init__.py index f569d411..989eb5bb 100644 --- a/core/views/__init__.py +++ b/core/views/__init__.py @@ -1,10 +1,18 @@ +from django.shortcuts import render from django.http import HttpResponseForbidden from django.core.exceptions import PermissionDenied from django.views.generic.base import View from core.models import Group +def forbidden(request): + return render(request, "core/403.html") + +def not_found(request): + return render(request, "core/404.html") + + # TODO: see models.py's TODO! class CanEditPropMixin(View): """ @@ -19,8 +27,11 @@ class CanEditPropMixin(View): user = self.request.user if obj is None: return res + # TODO: add permission scale validation, to allow some groups other than superuser to manipulate + # all objects of a class if they are in the right group if user.is_superuser or user.groups.filter(name=obj.owner_group.name).exists(): return res + raise PermissionDenied return HttpResponseForbidden("403, Forbidden") class CanEditMixin(CanEditPropMixin): @@ -29,8 +40,12 @@ class CanEditMixin(CanEditPropMixin): object """ def dispatch(self, request, *arg, **kwargs): - res = super(CanEditMixin, self).dispatch(request, *arg, **kwargs) - if res.status_code != 403: + # TODO: WIP: fix permissions with exceptions! + try: + res = super(CanEditMixin, self).dispatch(request, *arg, **kwargs) + except PermissionDenied: + pass + except: return res obj = self.object user = self.request.user @@ -40,7 +55,8 @@ class CanEditMixin(CanEditPropMixin): if user.groups.filter(name=g.name).exists(): return super(CanEditPropMixin, self).dispatch(request, *arg, **kwargs) if isinstance(obj, User) and obj == user: - return super(CanEditPropMixin, self).dispatch(request, *arg, **kwargs) + return super(CanEditPropMixin, self).dispatch(request, *arg, **kwargs) + raise PermissionDenied return HttpResponseForbidden("403, Forbidden") class CanViewMixin(CanEditMixin): @@ -49,8 +65,11 @@ class CanViewMixin(CanEditMixin): the object """ def dispatch(self, request, *arg, **kwargs): - res = super(CanViewMixin, self).dispatch(request, *arg, **kwargs) - if res.status_code != 403: + try: + res = super(CanViewMixin, self).dispatch(request, *arg, **kwargs) + except PermissionDenied: + pass + except: return res obj = self.object user = self.request.user diff --git a/sith/urls.py b/sith/urls.py index a76c6f4e..aacf3e11 100644 --- a/sith/urls.py +++ b/sith/urls.py @@ -16,6 +16,9 @@ Including another URLconf from django.conf.urls import include, url from django.contrib import admin +handler403 = "core.views.forbidden" +handler404 = "core.views.not_found" + urlpatterns = [ url(r'^', include('core.urls', namespace="core", app_name="core")), url(r'^admin/', include(admin.site.urls)),