#42 Restricting Acces to Place requests

django_lostplaces/lostplaces/models/models.py

@@ -85,6 +85,9 @@ class Explorer(models.Model):
     def get_places_eligible_to_see(self):
         return Place.objects.all().filter(level__lte=self.level)
 
+    def is_eligible_to_see(self, place):
+        return place in self.get_places_eligible_to_see()
+
     def __str__(self):
         return self.user.username
 

django_lostplaces/lostplaces/views/base_views.py

@@ -27,6 +27,7 @@ class IsAuthenticatedMixin(LoginRequiredMixin, View):
     permission_denied_message = _('Please login to proceed')
 
     def handle_no_permission(self):
+        if not self.request.user.is_authenticated:
             messages.error(self.request, self.permission_denied_message)
         return super().handle_no_permission()
 
@@ -61,6 +62,23 @@ class IsPlaceSubmitterMixin(UserPassesTestMixin, View):
             messages.error(self.request, self.place_submitter_error_message)
         return False
 
+class IsEligibleToSeePlaceMixin(UserPassesTestMixin):
+    not_eligible_to_see_message = None
+
+    def get_place(self):
+        pass
+
+    def test_func(self):
+        if not hasattr(self.request, 'user'):
+            return False
+
+        if self.request.user.explorer.is_eligible_to_see(self.get_place()):
+            return True
+
+        if self.not_eligible_to_see_message:
+            messages.error(self.request, self.not_eligible_to_see_message)
+        return False
+
 class PlaceAssetCreateView(IsAuthenticatedMixin, SuccessMessageMixin, CreateView):
     """
     Abstract View for creating a place asset (i.e. PlaceImage) 

django_lostplaces/lostplaces/views/place_views.py

@@ -18,7 +18,8 @@ from lostplaces.models import Place, PlaceImage
 from lostplaces.views.base_views import (
     IsAuthenticatedMixin,
     IsPlaceSubmitterMixin,
-    LevelCapPlaceListView
+    LevelCapPlaceListView,
+    IsEligibleToSeePlaceMixin
 )
 from lostplaces.views.place_image_views import MultiplePlaceImageUploadMixin
 from lostplaces.forms import PlaceForm, PlaceImageForm, TagSubmitForm
@@ -39,9 +40,15 @@ class PlaceListView(IsAuthenticatedMixin, LevelCapPlaceListView):
         }
         return context
 
-class PlaceDetailView(IsAuthenticatedMixin, View):
+class PlaceDetailView(IsAuthenticatedMixin, IsEligibleToSeePlaceMixin, View):
+    not_eligible_to_see_message = _('You\'r not allowed to see this place')
+
+    def get_place(self):
+        return get_object_or_404(Place, pk=self.kwargs['pk'])
+
     def get(self, request, pk):        
-        place = get_object_or_404(Place, pk=pk)
+        place = self.get_place()
+
         context = {
             'place': place,
             'mapping_config': {
@@ -131,10 +138,14 @@ class PlaceDeleteView(IsAuthenticatedMixin, IsPlaceSubmitterMixin, DeleteView):
     def get_place(self):
         return self.get_object()
 
-class PlaceFavoriteView(IsAuthenticatedMixin, View):
+class PlaceFavoriteView(IsAuthenticatedMixin, IsEligibleToSeePlaceMixin, View):
+    not_eligible_to_see_message = _('You\'r not allowed to favorite this place')
+
+    def get_place(self):
+        return get_object_or_404(Place, pk=self.kwargs['place_id'])
 
     def get(self, request, place_id):
-        place = get_object_or_404(Place, id=place_id)
+        place = self.get_place()
         if request.user is not None:
             request.user.explorer.favorite_places.add(place)
             request.user.explorer.save()
@@ -151,10 +162,14 @@ class PlaceUnfavoriteView(IsAuthenticatedMixin, View):
 
         return redirect_referer_or(request, reverse('place_detail', kwargs={'pk': place.pk}))                    
 
-class PlaceVisitCreateView(IsAuthenticatedMixin, View):
+class PlaceVisitCreateView(IsAuthenticatedMixin, IsEligibleToSeePlaceMixin, View):
+    not_eligible_to_see_message = _('You\'r not allowed to visit this place :P (Now please stop trying out URL\'s)')
+
+    def get_place(self):
+        return get_object_or_404(Place, pk=self.kwargs['place_id'])
 
     def get(self, request, place_id):
-        place = get_object_or_404(Place, id=place_id)
+        place = self.get_place()
         if request.user is not None:
             request.user.explorer.visited_places.add(place)
             request.user.explorer.save()