Skip to content
Snippets Groups Projects
Commit 474b410a authored by Branson Craig Stephens's avatar Branson Craig Stephens
Browse files

Protected certain views with internal_user_required decorator.

parent e07acdad
No related branches found
No related tags found
No related merge requests found
......@@ -10,12 +10,15 @@ from models import Event, Group, Pipeline
#from views import view, search, index
from views import view
from gracedb.permission_utils import internal_user_required
from django.conf import settings
FEED_MAX_RESULTS = getattr(settings, 'FEED_MAX_RESULTS', 20)
class EventFeed(Feed):
title_template = "feeds/latest_title.html"
description_template = "feeds/latest_description.html"
@internal_user_required
def get_object(self, request, url):
bits = url.split('/')[1:]
# bits will look like
......@@ -74,6 +77,7 @@ class EventFeed(Feed):
_, x = obj
return x
@internal_user_required
def feedview(request):
return render_to_response(
'feeds/index.html',
......
from django.db.models import Q
from guardian.shortcuts import assign_perm
from django.contrib.auth.models import Group
from django.utils.functional import wraps
from django.http import HttpResponseForbidden
#-------------------------------------------------------------------------------
# A convenient wrapper for permission checks.
......@@ -42,3 +44,18 @@ def assign_default_event_perms(event):
for g in [executives, internal]:
assign_perm(view_codename, g, event)
assign_perm(change_codename, g, event)
#-------------------------------------------------------------------------------
# A wrapper for views that checks whether the user is internal, and if not
# returns a 403.
#-------------------------------------------------------------------------------
def internal_user_required(view):
@wraps(view)
def inner(request, *args, **kwargs):
# XXX Should probably move this list of internal groups into settings.
internal_groups = Group.objects.filter(
name__in=['Communities:LSCVirgoLIGOGroupMembers', 'executives'])
if not set(list(internal_groups)) & set(list(request.user.groups.all())):
return HttpResponseForbidden("Forbidden")
return view(request, *args, **kwargs)
return inner
......@@ -6,7 +6,8 @@ from django.shortcuts import render_to_response
from django.conf import settings
from gracedb.models import Event
from gracedb.views import filter_events_for_user
from gracedb.permission_utils import filter_events_for_user
from gracedb.permission_utils import internal_user_required
from django.db.models import Q
import os, json
......@@ -30,6 +31,7 @@ import time
from datetime import datetime, timedelta
from utils import posixToGpsTime
@internal_user_required
def histo(request):
# Latency table.
......@@ -131,6 +133,7 @@ def to_png_image(out = sys.stdout):
plot.savefig(f, format="png")
return base64.b64encode(f.getvalue())
@internal_user_required
def gstlalcbc_report(request, format=""):
if not request.user or not request.user.is_authenticated():
......
......@@ -18,6 +18,7 @@ from django.contrib.auth.models import User, Permission
from django.contrib.auth.models import Group as AuthGroup
from django.contrib.contenttypes.models import ContentType
from permission_utils import filter_events_for_user, user_has_perm
from permission_utils import internal_user_required
from guardian.models import GroupObjectPermission
from view_logic import _createEventFromForm
......@@ -645,7 +646,7 @@ def taglogentry(request, event, num, tagname):
return HttpResponse(msg, content_type="text")
# Performance metrics.
# XXX Should probably protect this view.
@internal_user_required
def performance(request):
try:
......
......@@ -37,8 +37,8 @@ urlpatterns = patterns('',
url (r'^performance/$', 'gracedb.views.performance', name="performance"),
url (r'^reports/$', 'gracedb.reports.histo', name="reports"),
url (r'^reports/gstlalcbc_report/(?P<format>(json|flex))?$', 'gracedb.reports.gstlalcbc_report', name="gstlalcbc_report"),
(r'^reports/(?P<path>.+)$', 'django.views.static.serve',
{'document_root': settings.LATENCY_REPORT_DEST_DIR}),
#(r'^reports/(?P<path>.+)$', 'django.views.static.serve',
# {'document_root': settings.LATENCY_REPORT_DEST_DIR}),
url (r'^latest', 'gracedb.views.latest', name="latest"),
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment