diff --git a/papermerge/contrib/admin/context_processors.py b/papermerge/contrib/admin/context_processors.py index 072217c81..6d9d4b123 100644 --- a/papermerge/contrib/admin/context_processors.py +++ b/papermerge/contrib/admin/context_processors.py @@ -167,8 +167,12 @@ def user_perms(request): access_feature = request.user.has_perm( 'core.view_access' ) + new_folder = request.user.has_perm( + 'core.add_folder' + ) return { 'has_perm_change_user': change_user, 'has_perm_view_authtoken': auth_token, - 'has_perm_access_feature': access_feature + 'has_perm_access_feature': access_feature, + 'has_perm_new_folder': new_folder } diff --git a/papermerge/contrib/admin/templates/admin/index.html b/papermerge/contrib/admin/templates/admin/index.html index 87dcb03c4..1fd2ab150 100644 --- a/papermerge/contrib/admin/templates/admin/index.html +++ b/papermerge/contrib/admin/templates/admin/index.html @@ -26,7 +26,6 @@
diff --git a/papermerge/core/views/decorators.py b/papermerge/core/views/decorators.py index 4a1760c9b..39fa1a430 100644 --- a/papermerge/core/views/decorators.py +++ b/papermerge/core/views/decorators.py @@ -1,8 +1,11 @@ import json +from functools import wraps from django.http import ( HttpResponse, - HttpResponseRedirect + HttpResponseRedirect, + HttpResponseForbidden ) +from django.utils.log import log_response def smart_dump(value): @@ -63,3 +66,41 @@ def inner(*args, **kwargs): return inner + +def require_PERM(perm): + """ + Decorator to make a view only accept users which has given permission. + Usage:: + + @require_PERM('add_folder') + def my_view(request): + # I can assume now that user logged in has 'add_folder' permission + # ... + """ + def decorator(func): + @wraps(func) + def inner(request, *args, **kwargs): + + if not request.user.has_perm(perm): + err_msg = f"Forbidden. You don't not have {perm} permission" + if request.headers.get('x-requested-with') == 'XMLHttpRequest': + response = HttpResponseForbidden( + json.dumps({ + 'msg': err_msg + }), + content_type="application/json" + ) + else: + response = HttpResponseForbidden(err_msg) + + log_response( + "Access forbidden for %s to %s", + request.user, + request.path, + response=response, + request=request, + ) + return response + return func(request, *args, **kwargs) + return inner + return decorator diff --git a/papermerge/core/views/documents.py b/papermerge/core/views/documents.py index c648f66bd..687247a0e 100644 --- a/papermerge/core/views/documents.py +++ b/papermerge/core/views/documents.py @@ -26,7 +26,7 @@ from papermerge.core.storage import default_storage from papermerge.core.lib.hocr import Hocr -from .decorators import json_response +from .decorators import json_response, require_PERM from papermerge.core.models import ( Folder, @@ -305,6 +305,7 @@ def rename_node(request, id): @login_required @require_POST +@require_PERM('core.add_folder') def create_folder(request): """ Creates a new folder.