From 3f4bf9475c24e40eb389fed7518eafc70b4c5a98 Mon Sep 17 00:00:00 2001 From: reverend Date: Fri, 1 Oct 2021 23:41:34 +0200 Subject: [PATCH] #42 Restricting Acces to Place requests --- django_lostplaces/lostplaces/models/models.py | 3 ++ .../lostplaces/views/base_views.py | 20 +++++++++- .../lostplaces/views/place_views.py | 37 +++++++++++++------ 3 files changed, 48 insertions(+), 12 deletions(-) diff --git a/django_lostplaces/lostplaces/models/models.py b/django_lostplaces/lostplaces/models/models.py index 10f493b..9ed5f05 100644 --- a/django_lostplaces/lostplaces/models/models.py +++ b/django_lostplaces/lostplaces/models/models.py @@ -85,6 +85,9 @@ class Explorer(models.Model): def get_places_eligible_to_see(self): return Place.objects.all().filter(level__lte=self.level) + def is_eligible_to_see(self, place): + return place in self.get_places_eligible_to_see() + def __str__(self): return self.user.username diff --git a/django_lostplaces/lostplaces/views/base_views.py b/django_lostplaces/lostplaces/views/base_views.py index df37d5b..bc8d8e4 100644 --- a/django_lostplaces/lostplaces/views/base_views.py +++ b/django_lostplaces/lostplaces/views/base_views.py @@ -27,7 +27,8 @@ class IsAuthenticatedMixin(LoginRequiredMixin, View): permission_denied_message = _('Please login to proceed') def handle_no_permission(self): - messages.error(self.request, self.permission_denied_message) + if not self.request.user.is_authenticated: + messages.error(self.request, self.permission_denied_message) return super().handle_no_permission() class IsPlaceSubmitterMixin(UserPassesTestMixin, View): @@ -61,6 +62,23 @@ class IsPlaceSubmitterMixin(UserPassesTestMixin, View): messages.error(self.request, self.place_submitter_error_message) return False +class IsEligibleToSeePlaceMixin(UserPassesTestMixin): + not_eligible_to_see_message = None + + def get_place(self): + pass + + def test_func(self): + if not hasattr(self.request, 'user'): + return False + + if self.request.user.explorer.is_eligible_to_see(self.get_place()): + return True + + if self.not_eligible_to_see_message: + messages.error(self.request, self.not_eligible_to_see_message) + return False + class PlaceAssetCreateView(IsAuthenticatedMixin, SuccessMessageMixin, CreateView): """ Abstract View for creating a place asset (i.e. PlaceImage) diff --git a/django_lostplaces/lostplaces/views/place_views.py b/django_lostplaces/lostplaces/views/place_views.py index bdcee30..bb63435 100644 --- a/django_lostplaces/lostplaces/views/place_views.py +++ b/django_lostplaces/lostplaces/views/place_views.py @@ -18,7 +18,8 @@ from lostplaces.models import Place, PlaceImage from lostplaces.views.base_views import ( IsAuthenticatedMixin, IsPlaceSubmitterMixin, - LevelCapPlaceListView + LevelCapPlaceListView, + IsEligibleToSeePlaceMixin ) from lostplaces.views.place_image_views import MultiplePlaceImageUploadMixin from lostplaces.forms import PlaceForm, PlaceImageForm, TagSubmitForm @@ -39,9 +40,15 @@ class PlaceListView(IsAuthenticatedMixin, LevelCapPlaceListView): } return context -class PlaceDetailView(IsAuthenticatedMixin, View): - def get(self, request, pk): - place = get_object_or_404(Place, pk=pk) +class PlaceDetailView(IsAuthenticatedMixin, IsEligibleToSeePlaceMixin, View): + not_eligible_to_see_message = _('You\'r not allowed to see this place') + + def get_place(self): + return get_object_or_404(Place, pk=self.kwargs['pk']) + + def get(self, request, pk): + place = self.get_place() + context = { 'place': place, 'mapping_config': { @@ -131,10 +138,14 @@ class PlaceDeleteView(IsAuthenticatedMixin, IsPlaceSubmitterMixin, DeleteView): def get_place(self): return self.get_object() -class PlaceFavoriteView(IsAuthenticatedMixin, View): - +class PlaceFavoriteView(IsAuthenticatedMixin, IsEligibleToSeePlaceMixin, View): + not_eligible_to_see_message = _('You\'r not allowed to favorite this place') + + def get_place(self): + return get_object_or_404(Place, pk=self.kwargs['place_id']) + def get(self, request, place_id): - place = get_object_or_404(Place, id=place_id) + place = self.get_place() if request.user is not None: request.user.explorer.favorite_places.add(place) request.user.explorer.save() @@ -142,7 +153,7 @@ class PlaceFavoriteView(IsAuthenticatedMixin, View): return redirect_referer_or(request, reverse('place_detail', kwargs={'pk': place.pk})) class PlaceUnfavoriteView(IsAuthenticatedMixin, View): - + def get(self, request, place_id): place = get_object_or_404(Place, id=place_id) if request.user is not None: @@ -151,10 +162,14 @@ class PlaceUnfavoriteView(IsAuthenticatedMixin, View): return redirect_referer_or(request, reverse('place_detail', kwargs={'pk': place.pk})) -class PlaceVisitCreateView(IsAuthenticatedMixin, View): - +class PlaceVisitCreateView(IsAuthenticatedMixin, IsEligibleToSeePlaceMixin, View): + not_eligible_to_see_message = _('You\'r not allowed to visit this place :P (Now please stop trying out URL\'s)') + + def get_place(self): + return get_object_or_404(Place, pk=self.kwargs['place_id']) + def get(self, request, place_id): - place = get_object_or_404(Place, id=place_id) + place = self.get_place() if request.user is not None: request.user.explorer.visited_places.add(place) request.user.explorer.save()