piki/pages/access.py

from django.conf import settings
import logging
import os

from .models import PikiPage

logger = logging.getLogger(settings.ROOT_LOGGER_NAME).getChild(__name__)


class access_control(object):
    def __init__(self, request, rel_path):
        self._request = request
        self._rel_path = rel_path
        self._user = request.user
        try:
            self._page = PikiPage.objects.get(rel_path=rel_path)
        except PikiPage.DoesNotExist:
            self._page = None
        self._read = None
        self._write = None

    def __analyse_access_rights__(self):
        if self._read is None or self._write is None:
            self._read = False
            self._write = False
            #
            if self._user.is_superuser:
                # A superuser has full access
                logger.debug("User is superuser -> full access granted")
                self._read = True
                self._write = True
            elif self._page is None:
                if self._user.is_staff:
                    # Page creation is allowed for staff users
                    logger.debug("Page %s does not exist and user is staff -> full access granted", repr(self._rel_path))
                    self._read = True
                    self._write = True
                else:
                    logger.debug("Page %s does not exist and user is not staff -> no access granted", repr(self._rel_path))
            else:
                user_is_owner = self._page.owner == self._user
                user_in_page_group = self._page.group in self._user.groups.all()
                # read permissions
                if user_is_owner and self._page.owner_perms_read:
                    logger.debug("Read access granted, due to owner permissions of page")
                    self._read = True
                elif user_in_page_group and self._page.group_perms_read:
                    logger.debug("Read access granted, due to group permissions of page")
                    self._read = True
                elif self._page.other_perms_read:
                    logger.debug("Read access granted, due to other permissions of page")
                    self._read = True
                # write permissions
                if user_is_owner and self._page.owner_perms_write:
                    logger.debug("Write access granted, due to owner permissions of page")
                    self._write = True
                elif user_in_page_group and self._page.group_perms_write:
                    logger.debug("Write access granted, due to group permissions of page")
                    self._write = True
                elif self._page.other_perms_write:
                    logger.debug("Write access granted, due to other permissions of page")
                    self._write = True

    def may_read(self):
        self.__analyse_access_rights__()
        return self._read

    def may_write(self):
        self.__analyse_access_rights__()
        return self._write

    def may_read_attachment(self):
        return self.may_read()

    def may_modify_attachment(self):
        return self.may_write()


def read_attachment(request, path):
    # Interface for external module mycreole
    rel_path = os.path.dirname(path)
    return access_control(request, rel_path).may_read_attachment()


def modify_attachment(request, path):
    # Interface for external module mycreole
    rel_path = os.path.dirname(path)
    return access_control(request, rel_path).may_modify_attachment()