From 663364e4fea5084c3deb7d3c5990a800a3a04c77 Mon Sep 17 00:00:00 2001
From: gfawcett <gfawcett@6d9bc8c9-1ec2-4278-b937-99fde70a366f>
Date: Sun, 8 Mar 2009 20:01:40 +0000
Subject: [PATCH] added "instructors_only" decorator to control access to
 sensitive URLs

git-svn-id: svn://svn.open-ils.org/ILS-Contrib/servres/trunk@150 6d9bc8c9-1ec2-4278-b937-99fde70a366f
---
 conifer/syrup/views.py | 30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

diff --git a/conifer/syrup/views.py b/conifer/syrup/views.py
index 90b5473..21a8c79 100644
--- a/conifer/syrup/views.py
+++ b/conifer/syrup/views.py
@@ -51,6 +51,25 @@ def auth_handler(request, path):
         return HttpResponse('auth_handler: ' + path)
 
 #------------------------------------------------------------
+# Authorization
+
+def instructors_only(handler):
+    def hdlr(request, course_id, *args, **kwargs):
+        allowed = request.user.is_superuser
+        if not allowed:
+            cursor = django.db.connection.cursor()
+            cursor.execute('select count(*) from syrup_member where user_id=%s and course_id=%s',                       
+                           [request.user.id, int(course_id)])
+            res = cursor.fetchall()
+            cursor.close()
+            allowed = res[0][0]
+        if allowed:
+            return handler(request, course_id, *args, **kwargs)
+        else:
+            return HttpResponseForbidden(_('Only instructors may edit courses.'))
+    return hdlr
+
+#------------------------------------------------------------
 
 def welcome(request):
     return g.render('welcome.xhtml')
@@ -163,11 +182,12 @@ if COURSE_CODE_LIST:
         choices = choices)
     NewCourseForm.base_fields['code'].empty_label = empty_label
     
+# todo, how do we decide who can create new course sites?
 @login_required
 def add_new_course(request):
     return add_or_edit_course(request)
 
-@login_required
+@instructors_only
 def edit_course(request, course_id):
     instance = get_object_or_404(models.Course, pk=course_id)
     return add_or_edit_course(request, instance=instance)
@@ -277,7 +297,7 @@ def edit_course_permissions(request, course_id):
                 raise NotImplementedError, 'No course sections yet! Coming soon.'
             return HttpResponseRedirect('.')
 
-@login_required                 # fixme, must be instructor...
+@instructors_only
 def delete_course(request, course_id):
     course = get_object_or_404(models.Course, pk=course_id)
     if request.POST.get('confirm_delete'):
@@ -371,8 +391,7 @@ def _heading_detail(request, item):
     return g.render('item_heading_detail.xhtml', item=item)
 
 
-# fixme, not just login required! Must be in right course.
-@login_required
+@instructors_only
 def item_add(request, course_id, item_id):
     # The parent_item_id is the id for the parent-heading item. Zero
     # represents 'top-level', i.e. the new item should have no
@@ -463,8 +482,7 @@ def item_add(request, course_id, item_id):
         else:
             return HttpResponseRedirect(course.course_url())
 
-# fixme, not just login required! Must be in right course.
-@login_required
+@instructors_only
 def item_edit(request, course_id, item_id):
     course = get_object_or_404(models.Course, pk=course_id)
     item = get_object_or_404(models.Item, pk=item_id, course__id=course_id)
-- 
2.11.0