#137 place permission logic ONLY in core.permissions and make article.can_read…

#137 place permission logic ONLY in core.permissions and make article.can_read and article.can_write configurable

#137 place permission logic ONLY in core.permissions and make article.can_read…
#137 place permission logic ONLY in core.permissions and make article.can_read and article.can_write configurable
d37e09cd · benjaoming · fdd36cde · d37e09cd · d37e09cd · d37e09cd
Commit d37e09cd authored Apr 04, 2013 by benjaoming
Hide whitespace changes
Inline Side-by-side

Showing with 103 additions and 47 deletions

wiki/conf/settings.py
+17 -6

wiki/core/permissions.py
+84 -7

wiki/models/article.py
+2 -34

No files found.
--- a/wiki/conf/settings.py
+++ b/wiki/conf/settings.py
@@ -37,30 +37,41 @@ LOG_IPS_USERS = getattr( django_settings, 'WIKI_LOG_IPS_USERS', False )
 # NB! None of these callables need to handle anonymous users as they are treated
 # in separate settings...

+# A function returning True/False if a user has permission to
+# read contents of an article + plugins
+# Relevance: viewing articles and plugins
+CAN_READ = getattr( django_settings, 'WIKI_CAN_READ', None )
+
+# A function returning True/False if a user has permission to
+# change contents, ie add new revisions to an article
+# Often, plugins also use this
+# Relevance: editing articles, changing revisions, editing plugins
+CAN_WRITE = getattr( django_settings, 'WIKI_CAN_WRITE', None )
+
 # A function returning True/False if a user has permission to assign
 # permissions on an article
 # Relevance: changing owner and group membership
-CAN_ASSIGN = getattr( django_settings, 'WIKI_CAN_ASSIGN', lambda article, user: user.has_perm( 'wiki.assign' ) )
+CAN_ASSIGN = getattr( django_settings, 'WIKI_CAN_ASSIGN', None )

 # A function returning True/False if the owner of an article has permission to change
 # the group to a user's own groups
 # Relevance: changing group membership
-CAN_ASSIGN_OWNER = getattr( django_settings, 'WIKI_ASSIGN_OWNER', lambda article, user: False )
+CAN_ASSIGN_OWNER = getattr( django_settings, 'WIKI_ASSIGN_OWNER', None )

 # A function returning True/False if a user has permission to change
 # read/write access for groups and others
-CAN_CHANGE_PERMISSIONS = getattr( django_settings, 'WIKI_CAN_CHANGE_PERMISSIONS', lambda article, user: article.owner == user or user.has_perm( 'wiki.assign' ) )
+CAN_CHANGE_PERMISSIONS = getattr( django_settings, 'WIKI_CAN_CHANGE_PERMISSIONS', None )

 # Specifies if a user has access to soft deletion of articles
-CAN_DELETE = getattr( django_settings, 'WIKI_CAN_DELETE', lambda article, user: article.can_write( user = user ) )
+CAN_DELETE = getattr( django_settings, 'WIKI_CAN_DELETE', None )

 # A function returning True/False if a user has permission to change
 # moderate, ie. lock articles and permanently delete content.
-CAN_MODERATE = getattr( django_settings, 'WIKI_CAN_MODERATE', lambda article, user: user.has_perm( 'wiki.moderate' ) )
+CAN_MODERATE = getattr( django_settings, 'WIKI_CAN_MODERATE', None )

 # A function returning True/False if a user has permission to create
 # new groups and users for the wiki.
-CAN_ADMIN = getattr( django_settings, 'WIKI_CAN_ADMIN', lambda article, user: user.has_perm( 'wiki.admin' ) )
+CAN_ADMIN = getattr( django_settings, 'WIKI_CAN_ADMIN', None )

 # Treat anonymous (non logged in) users as the "other" user group
 ANONYMOUS = getattr( django_settings, 'WIKI_ANONYMOUS', True )

--- a/wiki/core/permissions.py
+++ b/wiki/core/permissions.py
 from wiki.conf import settings

-# Article settings.
+###############################
+# ARTICLE PERMISSION HANDLING #
+###############################
+#
+# All functions are:
+#   can_something(article, user)
+#      => True/False
+#
+# All functions can be replaced by pointing their relevant
+# settings variable in wiki.conf.settings to a callable(article, user)
+
+def can_read(article, user):
+    if callable(settings.CAN_READ):
+        return settings.CAN_READ(article, user)
+    else:
+        # Deny reading access to deleted articles if user has no delete access
+        article_is_deleted = article.current_revision and article.current_revision.deleted
+        if article_is_deleted and not article.can_delete(user):
+            return False
+        
+        # Check access for other users...
+        if user.is_anonymous() and not settings.ANONYMOUS:
+            return False
+        elif article.other_read:
+            return True
+        elif user.is_anonymous():
+            return  False
+        if user == article.owner:
+            return True
+        if article.group_read:
+            if article.group and user.groups.filter(id=article.group.id).exists():
+                return True
+        if article.can_moderate(user):
+            return True
+        return False
+        
+def can_write(article, user):
+    if callable(settings.CAN_WRITE):
+        return settings.CAN_WRITE(article, user)
+    # Check access for other users...
+    if user.is_anonymous() and not settings.ANONYMOUS_WRITE:
+        return False
+    elif article.other_write:
+        return True
+    elif user.is_anonymous():
+        return  False
+    if user == article.owner:
+        return True
+    if article.group_write:
+        if article.group and user and user.groups.filter(id=article.group.id).exists():
+            return True
+    if article.can_moderate(user):
+        return True
+    return False
+
 def can_assign(article, user):
-    return not user.is_anonymous() and settings.CAN_ASSIGN(article, user)
+    if callable(settings.CAN_ASSIGN):
+        return settings.CAN_ASSIGN(article, user)
+    return not user.is_anonymous() and user.has_perm('wiki.assign')
+
 def can_assign_owner(article, user):
-    return not user.is_anonymous() and settings.CAN_ASSIGN_OWNER(article, user)
+    if callable(settings.CAN_ASSIGN_OWNER):
+        return settings.CAN_ASSIGN_OWNER(article, user)
+    return False
+
 def can_change_permissions(article, user):
-    return not user.is_anonymous() and settings.CAN_CHANGE_PERMISSIONS(article, user)
+    if callable(settings.CAN_CHANGE_PERMISSIONS):
+        return settings.CAN_CHANGE_PERMISSIONS(article, user)
+    return (
+        not user.is_anonymous() and (
+            article.owner == user or 
+            user.has_perm('wiki.assign')
+        )
+    )
+
 def can_delete(article, user):
-    return not user.is_anonymous() and settings.CAN_DELETE(article, user)
+    if callable(settings.CAN_DELETE):
+        return settings.CAN_DELETE(article, user)
+    return not user.is_anonymous() and article.can_write(user)
+
 def can_moderate(article, user):
-    return not user.is_anonymous() and settings.CAN_MODERATE(article, user)
+    if callable(settings.CAN_MODERATE):
+        return settings.CAN_MODERATE(article, user)
+    return not user.is_anonymous() and user.has_perm('wiki.moderate')
+
 def can_admin(article, user):
-    return not user.is_anonymous() and settings.CAN_ADMIN(article, user)
+    if callable(settings.CAN_ADMIN):
+        return settings.CAN_ADMIN(article, user)
+    return not user.is_anonymous() and user.has_perm('wiki.admin')
+
--- a/wiki/models/article.py
+++ b/wiki/models/article.py
@@ -46,42 +46,10 @@ class Article(models.Model):
    # permission checking patterns. Also, since there are no other keywords,
    # it doesn't make much sense.
    def can_read(self, user=None):
-        # Deny reading access to deleted articles if user has no delete access
-        if self.current_revision and self.current_revision.deleted and not self.can_delete(user):
-            return False
-        
-        # Check access for other users...
-        if user.is_anonymous() and not settings.ANONYMOUS:
-            return False
-        elif self.other_read:
-            return True
-        elif user.is_anonymous():
-            return  False
-        if user == self.owner:
-            return True
-        if self.group_read:
-            if self.group and user.groups.filter(id=self.group.id).exists():
-                return True
-        if self.can_moderate(user):
-            return True
-        return False
+        return permissions.can_read(self, user)
    
    def can_write(self, user=None):
-        # Check access for other users...
-        if user.is_anonymous() and not settings.ANONYMOUS_WRITE:
-            return False
-        elif self.other_write:
-            return True
-        elif user.is_anonymous():
-            return  False
-        if user == self.owner:
-            return True
-        if self.group_write:
-            if self.group and user and user.groups.filter(id=self.group.id).exists():
-                return True
-        if self.can_moderate(user):
-            return True
-        return False
+        return permissions.can_write(self, user)
    
    def can_delete(self, user):
        return permissions.can_delete(self, user)