diff options
| author | Magnus Hagander | 2020-01-26 11:12:42 +0000 |
|---|---|---|
| committer | Magnus Hagander | 2020-01-26 15:45:19 +0000 |
| commit | a44bbb83d27c42d23e062293346bd4204d98f54a (patch) | |
| tree | 5946ce0b9da308c76c73b4bd363c7623deac692c /postgresqleu/util/docsviews.py | |
| parent | 478da36bab59ec12ee3d2ea29aa4f20b794c7e9d (diff) | |
Fix permissions checks for documentation pages
Always require a login for viewing pages. This was already
"meta-enforced" by crashing when the user wasn't logged in, but should
do a proper redirect. We always want to enforce this login so we don't
end up with google indexing the help pages of every site for example.
Second, allow talk voters and any members of any of the global
permission groups to view the documentation. The comment already covered
the talkvoters, just not the implementation, but since we have
documentation for things outside of confreg now, also include
permissions on those parts of the system.
Partial work on #19
Diffstat (limited to 'postgresqleu/util/docsviews.py')
| -rw-r--r-- | postgresqleu/util/docsviews.py | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/postgresqleu/util/docsviews.py b/postgresqleu/util/docsviews.py index b83fb2a1..ddf33f25 100644 --- a/postgresqleu/util/docsviews.py +++ b/postgresqleu/util/docsviews.py @@ -2,6 +2,8 @@ from django.shortcuts import render from django.http import HttpResponseForbidden, Http404 from django.conf import settings from django.utils.safestring import mark_safe +from django.contrib.auth.decorators import login_required +from django.db.models import Q import codecs import os @@ -9,6 +11,8 @@ import re import markdown from postgresqleu.confreg.models import Conference, ConferenceSeries +from postgresqleu.util.auth import PERMISSION_GROUPS + reTitle = re.compile('<h1>([^<]+)</h1>') @@ -26,11 +30,17 @@ def _replaceSvgInline(m, section): return f.read() +@login_required def docspage(request, page): # Allow a person who has *any* permissions on a conference to read the docs, # because, well, they are docs. + # Since we also have docs for non-conference things, check for membership + # of *any* permissions groups. if not request.user.is_superuser: - if not Conference.objects.filter(administrators=request.user).exists() and not ConferenceSeries.objects.filter(administrators=request.user).exists(): + q = Q(administrators=request.user) | Q(talkvoters=request.user) + if not Conference.objects.filter(q).exists() and \ + not ConferenceSeries.objects.filter(administrators=request.user).exists() and \ + not request.user.groups.filter(name__in=PERMISSION_GROUPS).exists(): return HttpResponseForbidden("Access denied") if page: |