[open-ils-commits] r150 - servres/trunk/conifer/syrup (gfawcett)

svn at svn.open-ils.org svn at svn.open-ils.org
Sun Mar 8 16:01:44 EDT 2009 

Author: gfawcett
Date: 2009-03-08 16:01:40 -0400 (Sun, 08 Mar 2009)
New Revision: 150

Modified:
   servres/trunk/conifer/syrup/views.py
Log:
added "instructors_only" decorator to control access to sensitive URLs


Modified: servres/trunk/conifer/syrup/views.py
===================================================================
--- servres/trunk/conifer/syrup/views.py	2009-03-08 19:28:49 UTC (rev 149)
+++ servres/trunk/conifer/syrup/views.py	2009-03-08 20:01:40 UTC (rev 150)
@@ -51,7 +51,26 @@
         return HttpResponse('auth_handler: ' + path)
 
 #------------------------------------------------------------
+# Authorization
 
+def instructors_only(handler):
+    def hdlr(request, course_id, *args, **kwargs):
+        allowed = request.user.is_superuser
+        if not allowed:
+            cursor = django.db.connection.cursor()
+            cursor.execute('select count(*) from syrup_member where user_id=%s and course_id=%s',                       
+                           [request.user.id, int(course_id)])
+            res = cursor.fetchall()
+            cursor.close()
+            allowed = res[0][0]
+        if allowed:
+            return handler(request, course_id, *args, **kwargs)
+        else:
+            return HttpResponseForbidden(_('Only instructors may edit courses.'))
+    return hdlr
+
+#------------------------------------------------------------
+
 def welcome(request):
     return g.render('welcome.xhtml')
 
@@ -163,11 +182,12 @@
         choices = choices)
     NewCourseForm.base_fields['code'].empty_label = empty_label
     
+# todo, how do we decide who can create new course sites?
 @login_required
 def add_new_course(request):
     return add_or_edit_course(request)
 
- at login_required
+ at instructors_only
 def edit_course(request, course_id):
     instance = get_object_or_404(models.Course, pk=course_id)
     return add_or_edit_course(request, instance=instance)
@@ -277,7 +297,7 @@
                 raise NotImplementedError, 'No course sections yet! Coming soon.'
             return HttpResponseRedirect('.')
 
- at login_required                 # fixme, must be instructor...
+ at instructors_only
 def delete_course(request, course_id):
     course = get_object_or_404(models.Course, pk=course_id)
     if request.POST.get('confirm_delete'):
@@ -371,8 +391,7 @@
     return g.render('item_heading_detail.xhtml', item=item)
 
 
-# fixme, not just login required! Must be in right course.
- at login_required
+ at instructors_only
 def item_add(request, course_id, item_id):
     # The parent_item_id is the id for the parent-heading item. Zero
     # represents 'top-level', i.e. the new item should have no
@@ -463,8 +482,7 @@
         else:
             return HttpResponseRedirect(course.course_url())
 
-# fixme, not just login required! Must be in right course.
- at login_required
+ at instructors_only
 def item_edit(request, course_id, item_id):
     course = get_object_or_404(models.Course, pk=course_id)
     item = get_object_or_404(models.Item, pk=item_id, course__id=course_id)

More information about the open-ils-commits mailing list