Commit 8cee4a4c authored by Tanner Prestegard's avatar Tanner Prestegard Committed by GraceDB

Better 403 handling with template rendering for event views

parent ce232d31
from django.core.exceptions import PermissionDenied
from django.http import HttpResponse
from django.http import HttpResponseRedirect, HttpResponseNotFound, HttpResponseBadRequest, Http404
from django.http import HttpResponseForbidden, HttpResponseServerError
......@@ -74,10 +75,14 @@ def event_and_auth_required(view):
# maps to 'view', and unsafe methods map to 'CHANGE'
if request.method=='GET':
if not user_has_perm(request.user, 'view', event):
return HttpResponseForbidden("Forbidden")
msg = ('You do not have permission to view this event. '
'If you think you should be able to view it, make sure '
'you are logged in.')
return render(request, '403.html', status=403,
context={'graceid': graceid, 'message': msg})
elif request.method in ['POST', 'DELETE']:
if not user_has_perm(request.user, 'change', event):
return HttpResponseForbidden("Forbidden")
raise PermissionDenied
return view(request, event, *args, **kwargs)
return inner
......
{% extends "base.html" %}
{% block title %}403 – Forbidden{% endblock %}
{% block heading %}Forbidden {{ object.graceid }}{% endblock %}
{% block heading %}Forbidden {{ graceid }}{% endblock %}
{% block content %}
<p>You do not have the required permissions for the requested action.</p>
{{ message|safe }}
{% if message %}
<p>{{ message|safe }}</p>
{% else %}
<p>You do not have permission to perform the requested action.</p>
{% endif %}
{% endblock %}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment