Home Explore Help
Sign In
yangck
/
django-jet
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Add permission checks

Denis K 8 years ago
parent
a5fdee4801
commit
c6472645c5
4 changed files with 30 additions and 3 deletions
Split View Show Diff Stats
  1. 8 2
      jet/dashboard/forms.py
  2. 8 0
      jet/dashboard/views.py
  3. 13 0
      jet/forms.py
  4. 1 1
      jet/views.py

+ 8 - 2
jet/dashboard/forms.py
View File 

@@ -17,6 +17,9 @@ class UpdateDashboardModulesForm(forms.Form):
 
     def clean(self):
 
         data = super(UpdateDashboardModulesForm, self).clean()
 
 
+        if not self.request.user.is_authenticated():
 
+            raise ValidationError('error')
 
+
 
         try:
 
             modules = json.loads(data['modules'])
 
 
@@ -65,6 +68,9 @@ class AddUserDashboardModuleForm(forms.ModelForm):
 
     def clean(self):
 
         data = super(AddUserDashboardModuleForm, self).clean()
 
 
+        if not self.request.user.is_authenticated():
 
+            raise ValidationError('error')
 
+
 
         if 'app_label' in data:
 
             index_dashboard_cls = get_current_dashboard('app_index' if data['app_label'] else 'index')
 
             index_dashboard = index_dashboard_cls({'request': self.request}, app_label=data['app_label'])
 
@@ -104,7 +110,7 @@ class UpdateDashboardModuleCollapseForm(forms.ModelForm):
 
     def clean(self):
 
         data = super(UpdateDashboardModuleCollapseForm, self).clean()
 
 
-        if self.instance.user != self.request.user.pk:
 
+        if not self.request.user.is_authenticated() or self.instance.user != self.request.user.pk:
 
             raise ValidationError('error')
 
 
         return data
 
@@ -122,7 +128,7 @@ class RemoveDashboardModuleForm(forms.ModelForm):
 
     def clean(self):
 
         cleaned_data = super(RemoveDashboardModuleForm, self).clean()
 
 
-        if self.instance.user != self.request.user.pk:
 
+        if not self.request.user.is_authenticated() or self.instance.user != self.request.user.pk:
 
             raise ValidationError('error')
 
 
         return cleaned_data

+ 8 - 0
jet/dashboard/views.py
View File 

@@ -1,6 +1,7 @@
 
 from django.contrib import messages
 
 from django.core.urlresolvers import reverse
 
 from django.forms.formsets import formset_factory
 
+from django.http import HttpResponseRedirect
 
 from django.views.decorators.http import require_POST, require_GET
 
 from jet.dashboard.forms import UpdateDashboardModulesForm, AddUserDashboardModuleForm, \
 
     UpdateDashboardModuleCollapseForm, RemoveDashboardModuleForm, ResetDashboardForm
 
@@ -18,6 +19,9 @@ class UpdateDashboardModuleView(SuccessMessageMixin, UpdateView):
 
     object = None
 
     module = None
 
 
+    def has_permission(self, request):
 
+        return request.user.is_active and request.user.is_staff
 
+
 
     def get_success_url(self):
 
         if self.object.app_label:
 
             return reverse('admin:app_list', kwargs={'app_label': self.object.app_label})
 
@@ -92,6 +96,10 @@ class UpdateDashboardModuleView(SuccessMessageMixin, UpdateView):
 
         return data
 
 
     def dispatch(self, request, *args, **kwargs):
 
+        if not self.has_permission(request):
 
+            index_path = reverse('admin:index')
 
+            return HttpResponseRedirect(index_path)
 
+
 
         self.object = self.get_object()
 
         self.module = self.get_module()(model=self.object)
 
         return super(UpdateDashboardModuleView, self).dispatch(request, *args, **kwargs)

+ 13 - 0
jet/forms.py
View File 

@@ -67,6 +67,12 @@ class ToggleApplicationPinForm(forms.ModelForm):
 
         model = PinnedApplication
 
         fields = ['app_label']
 
 
+    def clean(self):
 
+        data = super(ToggleApplicationPinForm, self).clean()
 
+        if not self.request.user.is_authenticated():
 
+            raise ValidationError('error')
 
+        return data
 
+
 
     def save(self, commit=True):
 
         if commit:
 
             try:
 
@@ -93,9 +99,16 @@ class ModelLookupForm(forms.Form):
 
     object_id = forms.IntegerField(required=False)
 
     model_cls = None
 
 
+    def __init__(self, request, *args, **kwargs):
 
+        self.request = request
 
+        super(ModelLookupForm, self).__init__(*args, **kwargs)
 
+
 
     def clean(self):
 
         data = super(ModelLookupForm, self).clean()
 
 
+        if not self.request.user.is_authenticated():
 
+            raise ValidationError('error')
 
+
 
         try:
 
             self.model_cls = get_model(data['app_label'], data['model'])
 
         except:

+ 1 - 1
jet/views.py
View File 

@@ -58,7 +58,7 @@ def toggle_application_pin_view(request):
 
 def model_lookup_view(request):
 
     result = {'error': False}
 
 
-    form = ModelLookupForm(request.GET)
 
+    form = ModelLookupForm(request, request.GET)
 
 
     if form.is_valid():
 
         items, total = form.lookup()