1 files changed, 50 insertions, 1 deletions

diff --git a/ishtar_common/wizards.py b/ishtar_common/wizards.py
index 908a84a46..222d2a5db 100644
--- a/ishtar_common/wizards.py
+++ b/ishtar_common/wizards.py
@@ -18,17 +18,19 @@
 # See the file COPYING for details.
 
 import datetime
+# from functools import wraps
 
 from django.conf import settings
 from django.contrib.formtools.wizard.storage import get_storage
 from django.contrib.formtools.wizard.views import NamedUrlWizardView, \
-    normalize_name
+    normalize_name, get_storage, StepsHelper
 from django.contrib.sites.models import Site
 from django.core.exceptions import ObjectDoesNotExist
 from django.core.files.images import ImageFile
 from django.core.mail import send_mail
 from django.db.models.fields.files import FileField
 from django.db.models.fields.related import ManyToManyField
+from django.http import HttpResponseRedirect
 from django.forms import ValidationError
 from django.shortcuts import render_to_response
 from django.template import Context, RequestContext, loader
@@ -49,6 +51,32 @@ class MultiValueDict(BaseMultiValueDict):
         return v
 
 
+def check_rights(rights=[], redirect_url='/'):
+    """
+    Decorator that checks the rights to access the view.
+    """
+
+    def decorator(view_func):
+        def _wrapped_view(request, *args, **kwargs):
+            if not rights:
+                return view_func(request, *args, **kwargs)
+            if hasattr(request.user, 'ishtaruser'):
+                if request.user.ishtaruser.has_right('administrator',
+                                                     request.session):
+                    kwargs['current_right'] = 'administrator'
+                    return view_func(request, *args, **kwargs)
+                for right in rights:
+                    # be careful to put the more permissive rights first
+                    # if granted it can allow more
+                    if request.user.ishtaruser.has_right(right,
+                                                         request.session):
+                        kwargs['current_right'] = right
+                        return view_func(request, *args, **kwargs)
+            return HttpResponseRedirect(redirect_url)
+        return _wrapped_view
+    return decorator
+
+
 class Wizard(NamedUrlWizardView):
     model = None
     label = ''
@@ -88,6 +116,27 @@ class Wizard(NamedUrlWizardView):
             cond = self._check_right(form_key, condition)
             self.condition_dict[form_key] = cond
 
+    def dispatch(self, request, *args, **kwargs):
+        self.current_right = kwargs.get('current_right', None)
+
+        # check that the current object is really owned by the current user
+        if self.current_right and '_own_' in self.current_right:
+            # reinit default dispatch of a wizard - not clean...
+            self.request = request
+            self.session = request.session
+            self.prefix = self.get_prefix(*args, **kwargs)
+            self.storage = get_storage(self.storage_name, self.prefix, request,
+                getattr(self, 'file_storage', None))
+            self.steps = StepsHelper(self)
+
+            current_object = self.get_current_object()
+            if current_object and not current_object.is_own(request.user):
+                main_form_key = 'selec-' + self.url_name
+                self.session_reset(request, main_form_key)
+                return HttpResponseRedirect('/')
+
+        return super(Wizard, self).dispatch(request, *args, **kwargs)
+
     def get_prefix(self, *args, **kwargs):
         """As the class name can interfere when reused prefix with the url_name
         """