basic access-controls on adding/editing items; added phys-item icon.

Only instructors and proxy-instructors can add items. We hide
edit-links if user isn't an editor.

The physical item icon could be improved.

git-svn-id: svn://svn.open-ils.org/ILS-Contrib/servres/trunk@108 6d9bc8c9-1ec2-4278-b937-99fde70a366f

diff --git a/conifer/static/main.css b/conifer/static/main.css
index e1b4697..3e9d2a1 100644 (file)
--- a/conifer/static/main.css
+++ b/conifer/static/main.css
@@ -127,6 +127,12 @@ a:hover {  text-decoration: underline;  }
     margin-top: 4;
 }
 
+.itemtree li.item_PHYS { 
+    /* fixme: need a better icon */
+    list-style-image: url(tango/x-office-address-book.png);
+    margin-top: 4;
+}
+
 
 .instructors {
   border: 1px solid #ccc;

diff --git a/conifer/static/tango/x-office-address-book.png b/conifer/static/tango/x-office-address-book.png
new file mode 100644 (file)
index 0000000..f3b5d9d
Binary files /dev/null and b/conifer/static/tango/x-office-address-book.png differ

diff --git a/conifer/syrup/models.py b/conifer/syrup/models.py
index c38efbe..e80f280 100644 (file)
--- a/conifer/syrup/models.py
+++ b/conifer/syrup/models.py
@@ -165,6 +165,14 @@ class Course(m.Model):
         walk(subtree, out)
         return out
 
+    def can_edit(self, user):
+        if user.is_anonymous():
+            return False
+        try:
+            mbr = Member.objects.get(course=self, user=user)
+        except Member.DoesNotExist:
+            return False
+        return mbr.role in (u'INSTR', u'PROXY')
 
 class Member(m.Model):
     course = m.ForeignKey(Course)

diff --git a/conifer/syrup/views.py b/conifer/syrup/views.py
index cc93366..49a45fd 100644 (file)
--- a/conifer/syrup/views.py
+++ b/conifer/syrup/views.py
@@ -1,4 +1,5 @@
 from django.http import HttpResponse, HttpResponseRedirect
+from django.http import HttpResponseForbidden
 from django.core.paginator import Paginator
 from django.shortcuts import get_object_or_404
 from django.contrib.auth.decorators import login_required
@@ -138,6 +139,7 @@ def item_metadata(request, course_id, item_id):
         return g.render('item_metadata.xhtml', course=item.course,
                         item=item)
 
+@login_required
 def item_edit(request, course_id, item_id):
     """Edit an item."""
     # For now, just pop to the Admin interface.
@@ -152,7 +154,7 @@ def _heading_detail(request, item):
     return g.render('item_heading_detail.xhtml', item=item)
 
 
-
+@login_required
 def item_add(request, course_id, item_id):
     # The item-id is the id for the parent-heading item. Zero represents
     # 'top-level', i.e. the new item should have no heading. For any other
@@ -164,6 +166,10 @@ def item_add(request, course_id, item_id):
         parent_item = get_object_or_404(models.Item, pk=item_id, course__id=course_id)
         assert parent_item.item_type == 'HEADING', 'Can only add items to headings!'
         course = parent_item.course
+
+    if not course.can_edit(user):
+        return HttpResponseForbidden('not an editor') # fixme, prettier msg?
+
     item_type = request.GET.get('item_type')
     assert item_type, 'No item_type parameter was provided.'
 
@@ -175,6 +181,7 @@ def item_add(request, course_id, item_id):
                         **locals())
     else:
         # fixme, this will need refactoring. But not yet.
+        author = request.user.get_full_name() or request.user.username
         if item_type == 'HEADING':
             title = request.POST.get('title', '').strip()
             if not title:
@@ -186,7 +193,7 @@ def item_add(request, course_id, item_id):
                     item_type='HEADING',
                     parent_heading=parent_item,
                     title=title,
-                    author=request.user.get_full_name() or request.user.username,
+                    author=author,
                     activation_date=datetime.now(),
                     last_modified=datetime.now())
                 item.save()
@@ -203,7 +210,7 @@ def item_add(request, course_id, item_id):
                     item_type='URL',
                     parent_heading=parent_item,
                     title=title,
-                    author=request.user.get_full_name() or request.user.username,
+                    author=author,
                     activation_date=datetime.now(),
                     last_modified=datetime.now(),
                     url = url)

diff --git a/conifer/templates/components/item.xhtml b/conifer/templates/components/item.xhtml
index e7e9068..5eed7af 100644 (file)
--- a/conifer/templates/components/item.xhtml
+++ b/conifer/templates/components/item.xhtml
@@ -10,7 +10,7 @@
       <span py:if="item.needs_meta_link()" class="metalink">
        [<a href="${item_url(item)}meta/">about</a>]
       </span>
-      <span class="editlinks">
+      <span class="editlinks" py:if="edit">
        [<a href="${item_url(item)}edit/">edit</a>]
       </span>
       ${show_tree(subs)}

diff --git a/conifer/templates/item_heading_detail.xhtml b/conifer/templates/item_heading_detail.xhtml
index d2312e4..38d0a61 100644 (file)
--- a/conifer/templates/item_heading_detail.xhtml
+++ b/conifer/templates/item_heading_detail.xhtml
@@ -2,6 +2,7 @@
 course = item.course
 title = item.title
 course_title = '%s: %s (%s)' % (course.code, course.title, course.term)
+is_editor = course.can_edit(request.user)
 item_tree = course.item_tree(subtree=item)
 ?>
 <html xmlns="http://www.w3.org/1999/xhtml"
@@ -21,7 +22,7 @@ item_tree = course.item_tree(subtree=item)
     <!-- <p py:if="not item_tree"> -->
     <!--   There are no items associated in this subheading. -->
     <!-- </p> -->
-    ${show_tree(item_tree)}
-    ${add_subs(item)}
+    ${show_tree(item_tree, edit=is_editor)}
+    <div py:if="is_editor">${add_subs(item)}</div>
   </body>
 </html>