changeset permissions

2017-06-29 17:15:11 +02:00 · 2017-06-29 17:15:11 +02:00 · 0ea8ca9920
commit 0ea8ca9920
parent ef5f4c0704
3 changed files with 14 additions and 10 deletions
--- a/src/c3nav/editor/models/changedobject.py
+++ b/src/c3nav/editor/models/changedobject.py
@ -263,7 +263,7 @@ class ChangedObject(models.Model):
                (not self.is_created and self.deleted))

    def save(self, *args, standalone=False, **kwargs):
-        if self.changeset.proposed is not None or self.changeset.applied is not None:
+        if not self.changeset.editable:
            raise TypeError('can not add change object to uneditable changeset.')
        self.m2m_added = {name: tuple(values) for name, values in self._m2m_added_cache.items()}
        self.m2m_removed = {name: tuple(values) for name, values in self._m2m_removed_cache.items()}
--- a/src/c3nav/editor/models/changeset.py
+++ b/src/c3nav/editor/models/changeset.py
@ -187,9 +187,6 @@ class ChangeSet(models.Model):

        return objects

-    """
-    Lookup changes and created objects
-    """
    def get_changed_values(self, model: models.Model, name: str) -> tuple:
        """
        Get all changes values for a specific field on existing models
@ -247,6 +244,17 @@ class ChangeSet(models.Model):
            model = model._obj
        return set(self.created_objects.get(model, {}).keys())

+    """
+    Permissions
+    """
+    @property
+    def editable(self):
+        return self.applied is None
+
+    def can_edit(self, request):
+        return (self.editable and self.session_id == request.session.session_key and
+                (self.proposed is None or self.assigned_to_id is request.user.pk))
+
    """
    Methods for display
    """
--- a/src/c3nav/editor/views/changes.py
+++ b/src/c3nav/editor/views/changes.py
@ -18,11 +18,10 @@ from c3nav.mapdata.models.locations import LocationRedirect, LocationSlug

@sidebar_view
 def changeset_detail(request, pk):
-    can_edit = True
    changeset = request.changeset
    if str(pk) != str(request.changeset.pk):
-        can_edit = False
        changeset = get_object_or_404(ChangeSet.qs_for_request(request), pk=pk)
+    can_edit = changeset.can_edit(request)

    if request.method == 'POST' and can_edit:
        restore = request.POST.get('restore')
@ -228,14 +227,11 @@ def changeset_detail(request, pk):

@sidebar_view
 def changeset_edit(request, pk):
-    can_edit = True
    changeset = request.changeset
-
    if str(pk) != str(request.changeset.pk):
-        can_edit = False
        changeset = get_object_or_404(ChangeSet.qs_for_request(request), pk=pk)

-    if not can_edit:
+    if not changeset.can_edit(request):
        raise PermissionDenied

    if request.method == 'POST':