Add ACL support to the document comments app

2012-01-03 18:49:03 -04:00
parent ffd90c0340
commit edd344b924
3 changed files with 39 additions and 20 deletions
--- a/apps/document_comments/init.py
+++ b/apps/document_comments/init.py
@@ -8,20 +8,19 @@ from django.contrib.contenttypes import generic
 from navigation.api import register_links, register_model_list_columns
 from permissions.models import PermissionNamespace, Permission
 from common.utils import encapsulate
-
+from acls.api import class_permissions
 from documents.models import Document

 if 'django.contrib.comments' not in settings.INSTALLED_APPS:
    raise Exception('This app depends on the django.contrib.comments app.')

 from .permissions import (PERMISSION_COMMENT_CREATE,
-    PERMISSION_COMMENT_DELETE, PERMISSION_COMMENT_EDIT,
-    PERMISSION_COMMENT_VIEW)
+    PERMISSION_COMMENT_DELETE, PERMISSION_COMMENT_VIEW)
    
 comment_delete = {'text': _('delete'), 'view': 'comment_delete', 'args': 'object.pk', 'famfam': 'comment_delete', 'permissions': [PERMISSION_COMMENT_DELETE]}
 comment_multiple_delete = {'text': _('delete'), 'view': 'comment_multiple_delete', 'args': 'object.pk', 'famfam': 'comments_delete', 'permissions': [PERMISSION_COMMENT_DELETE]}
 comment_add = {'text': _('add comment'), 'view': 'comment_add', 'args': 'object.pk', 'famfam': 'comment_add', 'permissions': [PERMISSION_COMMENT_CREATE]}
-comments_for_object = {'text': _('comments'), 'view': 'comments_for_object', 'args': 'object.pk', 'famfam': 'comments', 'permissions': [PERMISSION_COMMENT_VIEW], 'children_view_regex': ['comment']}
+comments_for_document = {'text': _('comments'), 'view': 'comments_for_document', 'args': 'object.pk', 'famfam': 'comments', 'permissions': [PERMISSION_COMMENT_VIEW], 'children_view_regex': ['comment']}

 register_model_list_columns(Comment, [
    {
@@ -38,9 +37,9 @@ register_model_list_columns(Comment, [
    }
 ])

-register_links(['comments_for_object', 'comment_add', 'comment_delete', 'comment_multiple_delete'], [comment_add], menu_name='sidebar')
+register_links(['comments_for_document', 'comment_add', 'comment_delete', 'comment_multiple_delete'], [comment_add], menu_name='sidebar')
 register_links(Comment, [comment_delete])
-register_links(Document, [comments_for_object], menu_name='form_header')
+register_links(Document, [comments_for_document], menu_name='form_header')

 Document.add_to_class(
    'comments',
@@ -50,3 +49,9 @@ Document.add_to_class(
        object_id_field='object_pk'
    )
 )
+
+class_permissions(Document, [
+    PERMISSION_COMMENT_CREATE,
+    PERMISSION_COMMENT_DELETE,
+    PERMISSION_COMMENT_VIEW
+])
--- a/apps/document_comments/urls.py
+++ b/apps/document_comments/urls.py
@@ -1,8 +1,8 @@
 from django.conf.urls.defaults import patterns, url

 urlpatterns = patterns('document_comments.views',
-    url(r'^(?P<comment_id>\d+)/delete/$', 'comment_delete', (), 'comment_delete'),
-    url(r'^multiple/delete/$', 'comment_multiple_delete', (), 'comment_multiple_delete'),
-    url(r'^add_to_document/(?P<document_id>\d+)/$', 'comment_add', (), 'comment_add'),
-    url(r'^for/object/(?P<document_id>\d+)/$', 'comments_for_object', (), 'comments_for_object'),
+    url(r'^comment/(?P<comment_id>\d+)/delete/$', 'comment_delete', (), 'comment_delete'),
+    url(r'^comment/multiple/delete/$', 'comment_multiple_delete', (), 'comment_multiple_delete'),
+    url(r'^(?P<document_id>\d+)/comment/add/$', 'comment_add', (), 'comment_add'),
+    url(r'^(?P<document_id>\d+)/comment/list/$', 'comments_for_document', (), 'comments_for_document'),
 )
--- a/apps/document_comments/views.py
+++ b/apps/document_comments/views.py
@@ -8,25 +8,31 @@ from django.template import RequestContext
 from django.contrib import messages
 from django.contrib.contenttypes.models import ContentType
 from django.contrib.sites.models import Site
+from django.core.exceptions import PermissionDenied

+from acls.models import AccessEntry
 from permissions.models import Permission
 from documents.models import Document

 from .permissions import (PERMISSION_COMMENT_CREATE,
-    PERMISSION_COMMENT_DELETE, PERMISSION_COMMENT_EDIT,
-    PERMISSION_COMMENT_VIEW)
+    PERMISSION_COMMENT_DELETE, PERMISSION_COMMENT_VIEW)
 from .forms import CommentForm


 def comment_delete(request, comment_id=None, comment_id_list=None):
-    Permission.objects.check_permissions(request.user, [PERMISSION_COMMENT_DELETE])
    post_action_redirect = None

    if comment_id:
        comments = [get_object_or_404(Comment, pk=comment_id)]
    elif comment_id_list:
        comments = [get_object_or_404(Comment, pk=comment_id) for comment_id in comment_id_list.split(',')]
-    else:
+
+    try:
+        Permission.objects.check_permissions(request.user, [PERMISSION_COMMENT_DELETE])
+    except PermissionDenied:
+        comments = AccessEntry.objects.filter_objects_by_access(PERMISSION_COMMENT_DELETE, request.user, comments, related='content_object')
+        
+    if not comments:
        messages.error(request, _(u'Must provide at least one comment.'))
        return HttpResponseRedirect(request.META.get('HTTP_REFERER', '/'))        

@@ -69,9 +75,13 @@ def comment_multiple_delete(request):


 def comment_add(request, document_id):
-    Permission.objects.check_permissions(request.user, [PERMISSION_COMMENT_CREATE])
-
    document = get_object_or_404(Document, pk=document_id)
+
+    try:
+        Permission.objects.check_permissions(request.user, [PERMISSION_COMMENT_CREATE])
+    except PermissionDenied:
+        AccessEntry.objects.check_access(PERMISSION_COMMENT_CREATE, request.user, document)
+    
    post_action_redirect = None

    next = request.POST.get('next', request.GET.get('next', post_action_redirect if post_action_redirect else request.META.get('HTTP_REFERER', '/')))
@@ -99,16 +109,20 @@ def comment_add(request, document_id):
    }, context_instance=RequestContext(request))


-def comments_for_object(request, document_id):
+def comments_for_document(request, document_id):
    '''
    Show a list of all the comments related to the passed object
    '''
-    Permission.objects.check_permissions(request.user, [PERMISSION_COMMENT_VIEW])
-
    document = get_object_or_404(Document, pk=document_id)

+    try:
+        Permission.objects.check_permissions(request.user, [PERMISSION_COMMENT_VIEW])
+    except PermissionDenied:
+        AccessEntry.objects.check_access(PERMISSION_COMMENT_VIEW, request.user, document)
+
    return render_to_response('generic_list.html', {
        'object': document,
+        'access_object': document,
        'title': _(u'comments: %s') % document,
        'object_list': Comment.objects.for_model(document).order_by('-submit_date'),
        'hide_link': True,