Skip to content

Commit

Permalink
Check for view permissions when serving polls (#551)
Browse files Browse the repository at this point in the history
  • Loading branch information
@frcroth
frcroth authored Apr 9, 2024
1 parent 54036d5 commit 35446d2
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 12 deletions.
13 changes: 13 additions & 0 deletions myhpi/core/models.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

from django import forms
from django.contrib.auth.models import Group, User
from django.core.exceptions import PermissionDenied
from django.db import models
from django.db.models import BooleanField, CharField, DateField, ForeignKey, Model, Q
from django.http import HttpResponseRedirect
Expand Down Expand Up @@ -43,6 +44,18 @@ class BasePage(Page):
index.FilterField("is_public"),
]

def check_can_view(self, request):
target_groups = request.user.groups.all()
if request.user.is_superuser:
return
if getattr(request.user, "ip_range_group_name", None):
target_groups = Group.objects.filter(
Q(name=request.user.ip_range_group_name) | Q(id__in=request.user.groups.all())
)
is_matching_group = any(group in self.visible_for.all() for group in target_groups)
if not (is_matching_group or self.is_public):
raise PermissionDenied


class InformationPageForm(WagtailAdminPageForm):
def __init__(self, *args, **kwargs):
Expand Down
13 changes: 1 addition & 12 deletions myhpi/core/wagtail_hooks.py
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
from itertools import chain

from django.contrib.auth.models import Group
from django.core.exceptions import PermissionDenied
from django.db.models import Q
from django.templatetags.static import static
from django.utils.html import format_html
from wagtail import hooks
Expand All @@ -13,16 +11,7 @@
@hooks.register("before_serve_page")
def check_view_permissions(page, request, serve_args, serve_kwargs):
if isinstance(page, (Minutes, MinutesList, InformationPage)):
target_groups = request.user.groups.all()
if request.user.is_superuser:
return
if getattr(request.user, "ip_range_group_name", None):
target_groups = Group.objects.filter(
Q(name=request.user.ip_range_group_name) | Q(id__in=request.user.groups.all())
)
is_matching_group = any(group in page.visible_for.all() for group in target_groups)
if not (is_matching_group or page.is_public):
raise PermissionDenied
page.specific.check_can_view(request)


@hooks.register("before_serve_document")
Expand Down
9 changes: 9 additions & 0 deletions myhpi/polls/wagtail_hooks.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
from wagtail import hooks

from myhpi.polls.models import BasePoll, PollList


@hooks.register("before_serve_page")
def check_view_permissions(page, request, serve_args, serve_kwargs):
if isinstance(page, (PollList, BasePoll)):
page.specific.check_can_view(request)

0 comments on commit 35446d2

Please sign in to comment.