Permalink
Browse files

added authorization checks to views

  • Loading branch information...
1 parent 765b389 commit ceaf6da7cccb33f2156f5ba4157aba4ed3efd312 @paltman paltman committed Jun 18, 2011
Showing with 16 additions and 1 deletion.
  1. +16 −1 boxes/views.py
View
@@ -1,14 +1,29 @@
+from django.http import HttpResponseForbidden
from django.shortcuts import get_object_or_404, render_to_response
from django.template import RequestContext
+from boxes.authorization import can_edit
from boxes.forms import BoxForm
from boxes.models import Box
-# @@@ put privilege checks around this using a boxes.check_permissions function
+# @@@ problem with this is that the box_edit.html and box_create.html won't have domain objects in context
+def get_auth_vars(request):
+ auth_vars = {}
+ if request.method == "POST":
+ keys = [k for k in request.POST.keys() if k.startswith("boxes_auth_")]
+ for key in keys:
+ auth_vars[key.replace("boxes_auth_", "")] = request.POST.get(key)
+ auth_vars["user"] = request.user
+ return auth_vars
+
+
def box_edit(request, pk):
box = get_object_or_404(Box, pk=pk)
if request.method == "POST":
+ if not can_edit(**get_auth_vars(request)):
+ return HttpResponseForbidden()
+
form = BoxForm(request.POST, instance=box)
if form.is_valid():
form.save()

0 comments on commit ceaf6da

Please sign in to comment.