protecting through 403 several staff views

This commit is contained in:
Alex Barcelo 2015-12-16 17:51:15 +01:00
parent 1ea70ad1be
commit 01598826bf

View File

@ -21,11 +21,11 @@ except ImportError:
from django.contrib.auth.decorators import login_required, user_passes_test from django.contrib.auth.decorators import login_required, user_passes_test
from django.core.files.base import ContentFile from django.core.files.base import ContentFile
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.core.exceptions import ValidationError from django.core.exceptions import ValidationError, PermissionDenied
from django.core import paginator from django.core import paginator
from django.db import connection from django.db import connection
from django.db.models import Q from django.db.models import Q
from django.http import HttpResponseRedirect, Http404, HttpResponse, HttpResponseForbidden from django.http import HttpResponseRedirect, Http404, HttpResponse
from django.shortcuts import render_to_response, get_object_or_404 from django.shortcuts import render_to_response, get_object_or_404
from django.template import loader, Context, RequestContext from django.template import loader, Context, RequestContext
from django.utils.dates import MONTHS_3 from django.utils.dates import MONTHS_3
@ -164,6 +164,8 @@ dashboard = staff_member_required(dashboard)
def delete_ticket(request, ticket_id): def delete_ticket(request, ticket_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied()
if request.method == 'GET': if request.method == 'GET':
return render_to_response('helpdesk/delete_ticket.html', return render_to_response('helpdesk/delete_ticket.html',
@ -179,6 +181,8 @@ def followup_edit(request, ticket_id, followup_id):
"Edit followup options with an ability to change the ticket." "Edit followup options with an ability to change the ticket."
followup = get_object_or_404(FollowUp, id=followup_id) followup = get_object_or_404(FollowUp, id=followup_id)
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied()
if request.method == 'GET': if request.method == 'GET':
form = EditFollowUpForm(initial= form = EditFollowUpForm(initial=
{'title': escape(followup.title), {'title': escape(followup.title),
@ -237,6 +241,8 @@ followup_delete = staff_member_required(followup_delete)
def view_ticket(request, ticket_id): def view_ticket(request, ticket_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied()
if 'take' in request.GET: if 'take' in request.GET:
# Allow the user to assign the ticket to themselves whilst viewing it. # Allow the user to assign the ticket to themselves whilst viewing it.
@ -623,6 +629,9 @@ def mass_update(request):
action = 'assign' action = 'assign'
for t in Ticket.objects.filter(id__in=tickets): for t in Ticket.objects.filter(id__in=tickets):
if not _has_access_to_queue(request.user, t.queue):
continue
if action == 'assign' and t.assigned_to != user: if action == 'assign' and t.assigned_to != user:
t.assigned_to = user t.assigned_to = user
t.save() t.save()
@ -901,7 +910,7 @@ ticket_list = staff_member_required(ticket_list)
def edit_ticket(request, ticket_id): def edit_ticket(request, ticket_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue): if not _has_access_to_queue(request.user, ticket.queue):
return HttpResponseRedirect(reverse('helpdesk_dashboard')) raise PermissionDenied()
if request.method == 'POST': if request.method == 'POST':
form = EditTicketForm(request.POST, instance=ticket) form = EditTicketForm(request.POST, instance=ticket)
@ -974,6 +983,8 @@ raw_details = staff_member_required(raw_details)
def hold_ticket(request, ticket_id, unhold=False): def hold_ticket(request, ticket_id, unhold=False):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied()
if unhold: if unhold:
ticket.on_hold = False ticket.on_hold = False
@ -1282,6 +1293,9 @@ email_ignore_del = superuser_required(email_ignore_del)
def ticket_cc(request, ticket_id): def ticket_cc(request, ticket_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied()
copies_to = ticket.ticketcc_set.all() copies_to = ticket.ticketcc_set.all()
return render_to_response('helpdesk/ticket_cc_list.html', return render_to_response('helpdesk/ticket_cc_list.html',
RequestContext(request, { RequestContext(request, {
@ -1292,6 +1306,9 @@ ticket_cc = staff_member_required(ticket_cc)
def ticket_cc_add(request, ticket_id): def ticket_cc_add(request, ticket_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied()
if request.method == 'POST': if request.method == 'POST':
form = TicketCCForm(request.POST) form = TicketCCForm(request.POST)
if form.is_valid(): if form.is_valid():
@ -1310,6 +1327,7 @@ ticket_cc_add = staff_member_required(ticket_cc_add)
def ticket_cc_del(request, ticket_id, cc_id): def ticket_cc_del(request, ticket_id, cc_id):
cc = get_object_or_404(TicketCC, ticket__id=ticket_id, id=cc_id) cc = get_object_or_404(TicketCC, ticket__id=ticket_id, id=cc_id)
if request.method == 'POST': if request.method == 'POST':
cc.delete() cc.delete()
return HttpResponseRedirect(reverse('helpdesk_ticket_cc', kwargs={'ticket_id': cc.ticket.id})) return HttpResponseRedirect(reverse('helpdesk_ticket_cc', kwargs={'ticket_id': cc.ticket.id}))
@ -1321,6 +1339,8 @@ ticket_cc_del = staff_member_required(ticket_cc_del)
def ticket_dependency_add(request, ticket_id): def ticket_dependency_add(request, ticket_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied()
if request.method == 'POST': if request.method == 'POST':
form = TicketDependencyForm(request.POST) form = TicketDependencyForm(request.POST)
if form.is_valid(): if form.is_valid():
@ -1351,6 +1371,8 @@ ticket_dependency_del = staff_member_required(ticket_dependency_del)
def attachment_del(request, ticket_id, attachment_id): def attachment_del(request, ticket_id, attachment_id):
ticket = get_object_or_404(Ticket, id=ticket_id) ticket = get_object_or_404(Ticket, id=ticket_id)
if not _has_access_to_queue(request.user, ticket.queue):
raise PermissionDenied()
attachment = get_object_or_404(Attachment, id=attachment_id) attachment = get_object_or_404(Attachment, id=attachment_id)
attachment.delete() attachment.delete()
return HttpResponseRedirect(reverse('helpdesk_view', args=[ticket_id])) return HttpResponseRedirect(reverse('helpdesk_view', args=[ticket_id]))