Add basic framework for checking permissions

* add dummy has_access(user, location) method * re-organize views by type of access checking needed.

Add basic framework for checking permissions
* add dummy has_access(user, location) method * re-organize views by type of access checking needed.
3f356bfb · Victor Shnayder · c176a7fe · 3f356bfb
Commit 3f356bfb authored Jul 16, 2012 by Victor Shnayder
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 14 deletions

cms/djangoapps/contentstore/views.py
+34 -14

No files found.
--- a/cms/djangoapps/contentstore/views.py
+++ b/cms/djangoapps/contentstore/views.py
@@ -14,19 +14,7 @@ from github_sync import export_to_github
 from mitxmako.shortcuts import render_to_response
 from xmodule.modulestore.django import modulestore

-@login_required
-@ensure_csrf_cookie
-def index(request):
-    courses = modulestore().get_items(['i4x', None, None, 'course', None])
-    return render_to_response('index.html', {
-        'courses': [(course.metadata['display_name'],
-                    reverse('course_index', args=[
-                        course.location.org,
-                        course.location.course,
-                        course.location.name]))
-                    for course in courses]
-    })
-
+# ==== Public views ==================================================

 @ensure_csrf_cookie
 def signup(request):
@@ -44,18 +32,47 @@ def login_page(request):
    csrf_token = csrf(request)['csrf_token']
    return render_to_response('login.html', {'csrf': csrf_token }) 
    
+# ==== Views for any logged-in user ==================================
+
+@login_required
+@ensure_csrf_cookie
+def index(request):
+    courses = modulestore().get_items(['i4x', None, None, 'course', None])
+    return render_to_response('index.html', {
+        'courses': [(course.metadata['display_name'],
+                    reverse('course_index', args=[
+                        course.location.org,
+                        course.location.course,
+                        course.location.name]))
+                    for course in courses]
+    })
+
+# ==== Views with per-item permissions================================
+
+def has_access(user, location):
+    '''Return True if user allowed to access this piece of data'''
+    # TODO (vshnayder): actually check perms
+    return user.is_active and user.is_authenticated

 @login_required
 @ensure_csrf_cookie
 def course_index(request, org, course, name):
+    location = ['i4x', org, course, 'course', name]
+    if not has_access(request.user, location):
+        raise Http404  # TODO (vshnayder): better error
+    
    # TODO (cpennington): These need to be read in from the active user
-    course = modulestore().get_item(['i4x', org, course, 'course', name])
+    course = modulestore().get_item(location)
    weeks = course.get_children()
    return render_to_response('course_index.html', {'weeks': weeks})

 @login_required
 def edit_item(request):
+    # TODO (vshnayder): Why are we using "id" instead of "location"?
    item_id = request.GET['id']
+    if not has_access(request.user, item_id):
+        raise Http404  # TODO (vshnayder): better error
+        
    item = modulestore().get_item(item_id)
    return render_to_response('unit.html', {
        'contents': item.get_html(),
@@ -69,6 +86,9 @@ def edit_item(request):
 @expect_json
 def save_item(request):
    item_id = request.POST['id']
+    if not has_access(request.user, item_id):
+        raise Http404  # TODO (vshnayder): better error
+
    data = json.loads(request.POST['data'])
    modulestore().update_item(item_id, data)