Manage own rights in wizards via an appropriate decorator

4 files changed, 56 insertions, 7 deletions

diff --git a/archaeological_operations/models.py b/archaeological_operations/models.py
index 85edea71e..a1cd43b58 100644
--- a/archaeological_operations/models.py
+++ b/archaeological_operations/models.py
@@ -384,9 +384,6 @@ class Operation(BaseHistorizedItem, OwnPerms, ValueGetter, ShortMenuItem,
             raise ValidationError(_(u"This operation code already exists for "
                                     u"this year"))
 
-    def is_own(self, person):
-        return False
-
     @property
     def surface_ha(self):
         if self.surface:
diff --git a/archaeological_operations/urls.py b/archaeological_operations/urls.py
index e0909af8b..cc2c6f9ac 100644
--- a/archaeological_operations/urls.py
+++ b/archaeological_operations/urls.py
@@ -19,6 +19,7 @@
 
 from django.conf.urls.defaults import *
 
+from ishtar_common.wizards import check_rights
 import views
 
 # forms
@@ -51,11 +52,13 @@ urlpatterns = patterns(
     url(r'operation_search/(?P<step>.+)?$',
         views.operation_search_wizard, name='operation_search'),
     url(r'operation_creation/(?P<step>.+)?$',
-        views.operation_creation_wizard, name='operation_creation'),
+        check_rights(['add_operation'])(views.operation_creation_wizard),
+        name='operation_creation'),
     url(r'operation_add/(?P<file_id>\d+)$',
         views.operation_add, name='operation_add'),
     url(r'operation_modification/(?P<step>.+)?$',
-        views.operation_modification_wizard,
+        check_rights(['change_operation', 'change_own_operation'])(
+            views.operation_modification_wizard),
         name='operation_modification'),
     url(r'operation_modify/(?P<pk>.+)/$',
         views.operation_modify, name='operation_modify'),
diff --git a/ishtar_common/models.py b/ishtar_common/models.py
index c4dcd4c44..73e5f82b1 100644
--- a/ishtar_common/models.py
+++ b/ishtar_common/models.py
@@ -222,7 +222,7 @@ class OwnPerms:
         if not query:
             return False
         query = query & Q(pk=self.pk)
-        return self.objects.filter(query).count()
+        return self.__class__.objects.filter(query).count()
 
     @classmethod
     def has_item_of(cls, user):
diff --git a/ishtar_common/wizards.py b/ishtar_common/wizards.py
index 908a84a46..222d2a5db 100644
--- a/ishtar_common/wizards.py
+++ b/ishtar_common/wizards.py
@@ -18,17 +18,19 @@
 # See the file COPYING for details.
 
 import datetime
+# from functools import wraps
 
 from django.conf import settings
 from django.contrib.formtools.wizard.storage import get_storage
 from django.contrib.formtools.wizard.views import NamedUrlWizardView, \
-    normalize_name
+    normalize_name, get_storage, StepsHelper
 from django.contrib.sites.models import Site
 from django.core.exceptions import ObjectDoesNotExist
 from django.core.files.images import ImageFile
 from django.core.mail import send_mail
 from django.db.models.fields.files import FileField
 from django.db.models.fields.related import ManyToManyField
+from django.http import HttpResponseRedirect
 from django.forms import ValidationError
 from django.shortcuts import render_to_response
 from django.template import Context, RequestContext, loader
@@ -49,6 +51,32 @@ class MultiValueDict(BaseMultiValueDict):
         return v
 
 
+def check_rights(rights=[], redirect_url='/'):
+    """
+    Decorator that checks the rights to access the view.
+    """
+
+    def decorator(view_func):
+        def _wrapped_view(request, *args, **kwargs):
+            if not rights:
+                return view_func(request, *args, **kwargs)
+            if hasattr(request.user, 'ishtaruser'):
+                if request.user.ishtaruser.has_right('administrator',
+                                                     request.session):
+                    kwargs['current_right'] = 'administrator'
+                    return view_func(request, *args, **kwargs)
+                for right in rights:
+                    # be careful to put the more permissive rights first
+                    # if granted it can allow more
+                    if request.user.ishtaruser.has_right(right,
+                                                         request.session):
+                        kwargs['current_right'] = right
+                        return view_func(request, *args, **kwargs)
+            return HttpResponseRedirect(redirect_url)
+        return _wrapped_view
+    return decorator
+
+
 class Wizard(NamedUrlWizardView):
     model = None
     label = ''
@@ -88,6 +116,27 @@ class Wizard(NamedUrlWizardView):
             cond = self._check_right(form_key, condition)
             self.condition_dict[form_key] = cond
 
+    def dispatch(self, request, *args, **kwargs):
+        self.current_right = kwargs.get('current_right', None)
+
+        # check that the current object is really owned by the current user
+        if self.current_right and '_own_' in self.current_right:
+            # reinit default dispatch of a wizard - not clean...
+            self.request = request
+            self.session = request.session
+            self.prefix = self.get_prefix(*args, **kwargs)
+            self.storage = get_storage(self.storage_name, self.prefix, request,
+                getattr(self, 'file_storage', None))
+            self.steps = StepsHelper(self)
+
+            current_object = self.get_current_object()
+            if current_object and not current_object.is_own(request.user):
+                main_form_key = 'selec-' + self.url_name
+                self.session_reset(request, main_form_key)
+                return HttpResponseRedirect('/')
+
+        return super(Wizard, self).dispatch(request, *args, **kwargs)
+
     def get_prefix(self, *args, **kwargs):
         """As the class name can interfere when reused prefix with the url_name
         """