Fix #173 by letting articles refer to other article's attachments while checking…

Fix #173 by letting articles refer to other article's attachments while checking the permissions of the original article owner

Fix #173 by letting articles refer to other article's attachments while checking…
Fix #173 by letting articles refer to other article's attachments while checking the permissions of the original article owner
3f3c9033 · benjaoming · 00903359 · b9981cf6 · 3f3c9033 · 3f3c9033
Commit 3f3c9033 authored Jul 16, 2013 by benjaoming
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 5 deletions

wiki/plugins/attachments/markdown_extensions.py
+20 -5

wiki/plugins/attachments/templates/wiki/plugins/attachments/render.html
+4 -0

No files found.
--- a/wiki/plugins/attachments/markdown_extensions.py
+++ b/wiki/plugins/attachments/markdown_extensions.py
@@ -4,6 +4,7 @@ import re
 from django.core.urlresolvers import reverse
 from django.template.context import Context
 from django.template.loader import render_to_string
+from wiki.core.permissions import can_read

 ATTACHMENT_RE = re.compile(r'(?P<before>.*)(\[attachment\:(?P<id>\d+)\])(?P<after>.*)', re.IGNORECASE)

@@ -28,13 +29,27 @@ class AttachmentPreprocessor(markdown.preprocessors.Preprocessor):
                before = m.group('before')
                after = m.group('after')
                try:
-                    attachment = models.Attachment.objects.get(articles=self.markdown.article,
-                                                               id=attachment_id, current_revision__deleted=False)
+                    attachment = models.Attachment.objects.get(
+                        articles__current_revision__deleted=False,
+                        id=attachment_id, current_revision__deleted=False
+                    )
                    url = reverse('wiki:attachments_download', kwargs={'article_id': self.markdown.article.id,
                                                                       'attachment_id':attachment.id,})
-                    html = render_to_string("wiki/plugins/attachments/render.html",
-                                            Context({'url': url, 
-                                                     'filename': attachment.original_filename,}))
+                    
+                    # The readability of the attachment is decided relative
+                    # to the owner of the original article.
+                    # I.e. do not insert attachments in other articles that
+                    # the original uploader cannot read, that would be out
+                    # of scope!
+                    attachment_can_read = can_read( self.markdown.article,
+                        attachment.article.owner)
+                    html = render_to_string(
+                        "wiki/plugins/attachments/render.html",
+                        Context({
+                            'url': url, 
+                            'filename': attachment.original_filename,
+                            'attachment_can_read': attachment_can_read,
+                        }))
                    line = self.markdown.htmlStash.store(html, safe=True)
                except models.Attachment.DoesNotExist:
                    line = line.replace(m.group(1), u"""<span class="attachment attachment-deleted">Attachment with ID #%s is deleted.</span>""" % attachment_id)

--- a/wiki/plugins/attachments/templates/wiki/plugins/attachments/render.html
+++ b/wiki/plugins/attachments/templates/wiki/plugins/attachments/render.html
@@ -2,4 +2,8 @@
 {% comment %}
  Render an attachment to HTML in the markdown extension
 {% endcomment %}
+{% if not attachment_can_read %}
+<em>{% trans "This attachment is not permitted on this page." %}</em>
+{% else %}
 <span class="attachment"><a href="{{ url }}" title="{% trans "Click to download" %} {{ filename }}">{{ filename }}</a>
+{% endif %}