Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Permissions redefined, added can_delete and can_move permission

to page and global permissions. Changed naming to match django conventions
and varius bug fixes.
  • Loading branch information...
commit 37f8a427fba039b49d3a277691f1cd822a2a318b 1 parent 8a946b3
pcicman authored
View
2  .gitignore
@@ -2,4 +2,4 @@
*.pyc
*.DS_Store
cms/media/cms_page_media/
-
+example/run
View
44 cms/admin/__init__.py
@@ -43,6 +43,9 @@ class PagePermissionInlineAdmin(admin.TabularInline):
model = PagePermission
formset = BaseInlineFormSetWithQuerySet
+ def __init__(self, *args, **kwargs):
+ super(PagePermissionInlineAdmin, self).__init__(*args, **kwargs)
+
if not settings.CMS_SOFTROOT:
exclude = ['can_change_softroot']
@@ -59,20 +62,35 @@ def queryset(self, request):
def get_formset(self, request, obj=None, **kwargs):
"""Seems django doesn't cares about queryset defined here - its
probably a bug, so monkey patching again.. Assign use_queryset
- attribute to FormSet, our overiden formset knows how to handle
- this, @see BaseInlineFormSetWithQuerySet for more details.
+ attribute to FormSet, our overiden formset knows how to handle this,
+ @see BaseInlineFormSetWithQuerySet for more details.
+
+ Some fields may be excluded here. User can change only permissions
+ which are available for him. E.g. if user does not hves can_publish
+ flag, he can't change assign can_publish permissions.
"""
+ if obj:
+ self.exclude = []
+ if not obj.has_delete_permission(request):
+ self.exclude.append('can_delete')
+ if not obj.has_publish_permission(request):
+ self.exclude.append('can_publish')
+ if not obj.has_softroot_permission(request):
+ self.exclude.append('can_change_softroot')
+ if not obj.has_move_page_permission(request):
+ self.exclude.append('can_move_page')
+
FormSet = super(PagePermissionInlineAdmin, self).get_formset(request, obj=None, **kwargs)
# asign queryset
FormSet.use_queryset = self.queryset(request)
return FormSet
-
+
PAGE_ADMIN_INLINES.append(PagePermissionInlineAdmin)
class GlobalPagePermissionAdmin(admin.ModelAdmin):
- list_display = ['user', 'group', 'can_edit', 'can_publish', 'can_change_permissions']
- list_filter = ['user', 'group', 'can_edit', 'can_publish', 'can_change_permissions']
+ list_display = ['user', 'group', 'can_change', 'can_delete', 'can_publish', 'can_change_permissions']
+ list_filter = ['user', 'group', 'can_change', 'can_delete', 'can_publish', 'can_change_permissions']
if settings.CMS_SOFTROOT:
list_display += ('can_change_softroot', )
@@ -354,10 +372,9 @@ def has_add_permission(self, request):
"""
Return true if the current user has permission to add a new page.
"""
- if not settings.CMS_PERMISSION:
- return super(PageAdmin, self).has_add_permission(request)
- else:
+ if settings.CMS_PERMISSION:
return has_page_add_permission(request)
+ return super(PageAdmin, self).has_add_permission(request)
def has_change_permission(self, request, obj=None):
"""
@@ -365,9 +382,18 @@ def has_change_permission(self, request, obj=None):
Return the string 'All' if the user has all rights.
"""
if settings.CMS_PERMISSION and obj is not None:
- return obj.has_page_permission(request)
+ return obj.has_change_permission(request)
return super(PageAdmin, self).has_change_permission(request, obj)
+ def has_delete_permission(self, request, obj=None):
+ """
+ Returns True if the given request has permission to change the given
+ Django model instance. If CMS_PERMISSION are in use also takes look to
+ object permissions.
+ """
+ if settings.CMS_PERMISSION and obj is not None:
+ return obj.has_delete_permission(request)
+ return super(PageAdmin, self).has_delete_permission(request, obj)
def changelist_view(self, request, extra_context=None):
"The 'change list' admin view for this model."
View
4 cms/admin/change_list.py
@@ -17,7 +17,7 @@ def __init__(self, *args, **kwargs):
def get_query_set(self, request=None):
qs = super(CMSChangeList, self).get_query_set()
if request:
- permissions = Page.permissions.get_edit_id_list(request.user)
+ permissions = Page.permissions.get_change_id_list(request.user)
if permissions != Page.permissions.GRANT_ALL:
qs = qs.filter(pk__in=permissions)
self.root_query_set = self.root_query_set.filter(pk__in=permissions)
@@ -47,7 +47,7 @@ def set_items(self, request):
lang = get_language_from_request(request)
pages = self.get_query_set(request).order_by('tree_id', 'parent', 'lft').select_related()
- perm_edit_ids = Page.permissions.get_edit_id_list(request.user)
+ perm_edit_ids = Page.permissions.get_change_id_list(request.user)
perm_publish_ids = Page.permissions.get_publish_id_list(request.user)
perm_softroot_ids = Page.permissions.get_softroot_id_list(request.user)
View
2  cms/admin/views.py
@@ -32,7 +32,7 @@ def change_innavigation(request, page_id):
"""
if request.method == 'POST':
page = Page.objects.get(pk=page_id)
- if page.has_page_permission(request):
+ if page.has_change_permission(request):
if page.in_navigation:
page.in_navigation = False
val = 0
View
4 cms/media/cms/css/pages.css
@@ -152,6 +152,10 @@ div#sitemap li, div#sitemap ul{list-style-type: none;}
}
#sitemap li .col1 .title{
+ background: none;
+}
+
+#sitemap li.moveable .col1 .title{
background-repeat:no-repeat;
background:url(../images/sitemap-li-drag.gif) no-repeat 0px 0px;
}
View
4 cms/media/cms/javascript/change_list.js
@@ -1,4 +1,4 @@
-var tree
+var tree;
function initTree(){
tree = new tree_component();
@@ -8,7 +8,7 @@ function initTree(){
renameable: "none",
deletable: "all",
creatable: "all",
- draggable: "all",
+ draggable: ["moveable"],
dragrules: "all"
},
path: false,
View
36 cms/models/__init__.py
@@ -264,9 +264,20 @@ def get_template_name(self):
# langs += '%s, ' % lang
# return langs[0:-2]
- def has_page_permission(self, request):
- return self.has_generic_permission(request, "edit")
-
+ def has_change_permission(self, request):
+ opts = self._meta
+ if request.user.is_superuser:
+ return True
+ return request.user.has_perm(opts.app_label + '.' + opts.get_change_permission()) and \
+ self.has_generic_permission(request, "change")
+
+ def has_delete_permission(self, request):
+ opts = self._meta
+ if request.user.is_superuser:
+ return True
+ return request.user.has_perm(opts.app_label + '.' + opts.get_delete_permission()) and \
+ self.has_generic_permission(request, "delete")
+
def has_publish_permission(self, request):
return self.has_generic_permission(request, "publish")
@@ -274,8 +285,16 @@ def has_softroot_permission(self, request):
return self.has_generic_permission(request, "softroot")
def has_change_permissions_permission(self, request):
+ """Has user ability to change permissions for current page?
+ """
return self.has_generic_permission(request, "change_permissions")
+ def has_move_page_permission(self, request):
+ """Has user ability to move current page?
+ """
+ print "> can move page: ", self.has_generic_permission(request, "move_page")
+ return self.has_generic_permission(request, "move_page")
+
def has_generic_permission(self, request, type):
"""
Return true if the current user has permission on the page.
@@ -283,9 +302,7 @@ def has_generic_permission(self, request, type):
"""
if not request.user.is_authenticated() or not request.user.is_staff:
return False
- if request.user.is_superuser:
- return True
- if not settings.CMS_PERMISSION:
+ if not settings.CMS_PERMISSION or request.user.is_superuser:
return True
att_name = "permission_%s_cache" % type
@@ -468,10 +485,15 @@ class AbstractPagePermission(models.Model):
group = models.ForeignKey(Group, verbose_name=_("group"), blank=True, null=True)
# what:
- can_edit = models.BooleanField(_("can edit"), default=True)
+ can_change = models.BooleanField(_("can edit"), default=True)
+ can_delete = models.BooleanField(_("can delete"), default=True)
can_change_softroot = models.BooleanField(_("can change soft-root"), default=False)
can_publish = models.BooleanField(_("can publish"), default=True)
can_change_permissions = models.BooleanField(_("can change permissions"), default=False, help_text=_("on page level"))
+ can_move_page = models.BooleanField(_("can move"), default=True)
+
+ #todo: can_add ...?
+
class Meta:
abstract = True
View
37 cms/models/managers.py
@@ -220,12 +220,6 @@ def followed_after_user(self, user):
If user is superuser, or haves global can_change_permission permissions,
show him everything.
- This function will return just following permission nodes, and never the
- node to which is user assigned directly - because he must not be able to
- change permissions for himself - only user higher then him in tree can
- change his permissions if he is allowed. This is because user can't have
- possibility to add himself more permissions.
-
Result of this is used in admin for page permissions inline.
"""
from cms.models import GlobalPagePermission, Page
@@ -246,9 +240,11 @@ def followed_after_user(self, user):
# get permission set, but without objects targeting user, or any group
# in which he can be
- qs = self.filter(page__id__in=page_id_allow_list, page__level__gte=user_level)
- qs = qs.exclude(user=user, group__user=user)
-
+ qs = self.filter(
+ page__id__in=page_id_allow_list,
+ page__level__gte=user_level
+ )
+ #qs = qs.exclude(user=user).exclude(group__user=user)
return qs
@@ -273,12 +269,19 @@ def get_publish_id_list(self, user):
"""
return self.__get_id_list(user, "can_publish")
- def get_edit_id_list(self, user):
+ def get_change_id_list(self, user):
"""
Give a list of page where the user has edit rights or the string "All" if
the user has all rights.
"""
- return self.__get_id_list(user, "can_edit")
+ return self.__get_id_list(user, "can_change")
+
+ def get_delete_id_list(self, user):
+ """
+ Give a list of page where the user has delete rights or the string "All" if
+ the user has all rights.
+ """
+ return self.__get_id_list(user, "can_delete")
def get_softroot_id_list(self, user):
"""
@@ -288,11 +291,19 @@ def get_softroot_id_list(self, user):
return self.__get_id_list(user, "can_change_softroot")
def get_change_permissions_id_list(self, user):
- """
- Give a list of page where the user can change permissions.
+ """Give a list of page where the user can change permissions.
"""
return self.__get_id_list(user, "can_change_permissions")
+ def get_move_page_id_list(self, user):
+ """Give a list of pages which user can move.
+ """
+ # TODO: this is going to be tricky!!
+
+ #... continue here ...
+
+ return self.__get_id_list(user, "can_move_page")
+
def __get_id_list(self, user, attr):
if user.is_superuser or not settings.CMS_PERMISSION:
# got superuser, or permissions aren't enabled? just return grant
View
6 cms/templates/admin/cms/page/menu.html
@@ -1,4 +1,4 @@
-<li id="page_{{page.pk}}" {% if cl.is_filtered %}class="leaf"{% endif %} >{% load cms_tags i18n adminmedia %}
+<li id="page_{{page.pk}}" class="{% if cl.is_filtered %}leaf {% endif %}{% if has_move_page_permission %} moveable{% endif %}" {% if has_move_page_permission %}rel="moveable"{% endif %}>{% load cms_tags i18n adminmedia %}
<div class="cont">
<div class="col1">
<a href="{{ url }}{{ page.id }}/" class="title" title="{% trans "edit this page" %}">{{ page.get_slug }}</a>
@@ -18,9 +18,9 @@
{% endfor %}
</select>
<a href="#" title="{% trans "View on page" %}" class="selector-add viewpage" id="view-page-{{page.id}}"><span>{% trans "view" %}</span></a>
- <a href="#" class="move" title="{% trans "Cut" %}" id="move-link-{{ page.id }}"><span>{% trans "cut" %}</span></a>{% endif %}
+ {% if has_move_page_permission %}<a href="#" class="move" title="{% trans "Cut" %}" id="move-link-{{ page.id }}"><span>{% trans "cut" %}</span></a>{% endif %}{% endif %}
<a href="#" class="addlink" title="{% trans "Add Child" %}" id="add-link-{{ page.id }}"><span>{% trans "add" %}</span></a>
- <a href="{{ page.id }}/delete/" title="{% trans "Delete" %}" class="deletelink"><span>{% trans "delete" %}</span></a>
+ {% if has_delete_permission %}<a href="{{ page.id }}/delete/" title="{% trans "Delete" %}" class="deletelink"><span>{% trans "delete" %}</span></a>{% endif %}
</div>
<div class="col-published">{% if page.status %}
<label>
View
6 cms/templatetags/cms_tags.py
@@ -183,8 +183,10 @@ def show_admin_menu(context, page, no_children=False, level=None):
elif context.has_key('filtered'):
filtered = context['filtered']
children = page.childrens
- has_permission = page.has_page_permission(request)
+ has_permission = page.has_change_permission(request)
has_publish_permission = page.has_publish_permission(request)
+ has_delete_permission = page.has_delete_permission(request)
+ has_move_page_permission = page.has_move_page_permission(request)
# level is used to add a left margin on table row
if level is None:
level = 0
@@ -255,7 +257,7 @@ def render_plugin(context, plugin_id):
def has_permission(page, request):
- return page.has_page_permission(request)
+ return page.has_change_permission(request)
register.filter(has_permission)
def page_id_url(context, reverse_id, lang=None):
View
20 cms/utils/permissions.py
@@ -4,7 +4,14 @@
def has_page_add_permission(request, page=None):
"""Return true if the current user has permission to add a new page.
"""
- permissions = Page.permissions.get_edit_id_list(request.user)
+ if request.user.is_superuser:
+ return True
+
+ opts = Page._meta
+ if not request.user.has_perm(opts.app_label + '.' + opts.get_add_permission()):
+ return False
+
+ permissions = Page.permissions.get_change_id_list(request.user)
if permissions is Page.permissions.GRANT_ALL:
return True
target = request.GET.get('target', -1)
@@ -47,4 +54,13 @@ def get_user_permission_level(user):
raise NoPermissionsException
return permission.page.level
-
+
+def get_add_permission(self):
+ return 'add_%s' % self.object_name.lower()
+
+def get_change_permission(self):
+ return 'change_%s' % self.object_name.lower()
+
+def get_delete_permission(self):
+ return 'delete_%s' % self.object_name.lower()
+
View
4 cms/views.py
@@ -51,10 +51,10 @@ def details(request, page_id=None, slug=None, template_name=settings.CMS_TEMPLAT
elif not no404:
raise Http404("no page found for site %s" % unicode(site.name))
if current_page:
- has_page_permissions = current_page.has_page_permission(request)
+ has_change_permissions = current_page.has_change_permission(request)
request._current_page_cache = current_page
else:
- has_page_permissions = False
+ has_change_permissions = False
return template_name, locals()
details = auto_render(details)
View
2  example/templates/index.html
@@ -157,7 +157,7 @@
<script type="text/javascript">
// quick and dirty edit in place example
- {% if has_page_permissions %}
+ {% if has_change_permissions %}
$('.placeholder').addClass('placeholder-editable');
{% endif %}
$('.placeholder-editable').mouseover(function() {
Please sign in to comment.
Something went wrong with that request. Please try again.