Reworked the worst of the conflicting permissions policies

 - Legacy-Id: 7458

Author: rjsparks

ietf/meeting/ajax.py

@@ -4,6 +4,7 @@
 from django.core.urlresolvers import reverse
 from django.shortcuts import get_object_or_404, redirect
 from django.http import HttpResponseRedirect, HttpResponse
+from django.views.decorators.http import require_POST
 
 from dajaxice.decorators import dajaxice_register
 from ietf.ietfauth.utils import role_required, has_role, user_is_person
@@ -316,47 +317,34 @@ def agenda_add(request, meeting):
     else:
         return redirect(edit_agenda, meeting.number, newagenda.name)
 
-@role_required('Area Director','Secretariat')
+@require_POST
 def agenda_update(request, meeting, schedule):
     # forms are completely useless for update actions that want to
     # accept a subset of values. (huh? we could use required=False)
 
-    #debug.log("99 meeting.agenda: %s / %s / %s" %
-    #          (schedule, update_dict, request.body))
-
     user = request.user
 
+    if not user.is_authenticated():
+        return HttpResponse({'error':'no permission'}, status=403)
+
     cansee,canedit = agenda_permissions(meeting, schedule, request.user)
     read_only = not canedit
 
-    if has_role(user, "Secretariat"):
-        if "public" in request.POST:
-            value1 = True
-            value = request.POST["public"]
-            if value == "0" or value == 0 or value=="false":
-                value1 = False
-            #debug.log("setting public for %s to %s" % (schedule, value1))
-            schedule.public = value1
-
-    if "visible" in request.POST and cansee:
-        value1 = True
-        value = request.POST["visible"]
-        if value == "0" or value == 0 or value=="false":
-            value1 = False
-        #debug.log("setting visible for %s to %s" % (schedule, value1))
-        schedule.visible = value1
-    if has_role(user, "Secretariat") and canedit:
-        if "name" in request.POST:
-            value = request.POST["name"]
-            #log.debug("setting name for %s to %s" % (schedule, value))
-            schedule.name = value
-    else:
-        return HttpResponse({'error':'no permission'}, status=401)
+    def is_truthy_enough(value):
+        return not (value == "0" or value == 0 or value=="false")
+
+    # TODO: Secretariat should always get canedit
+    if not (canedit or has_role(user, "Secretariat")):
+        return HttpResponse({'error':'no permission'}, status=403)
+    
+    if "public" in request.POST:
+        schedule.public = is_truthy_enough(request.POST["public"])
+
+    if "visible" in request.POST:
+        schedule.visible = is_truthy_enough(request.POST["visible"])
 
     if "name" in request.POST:
-        value = request.POST["name"]
-        #debug.log("setting name for %s to %s" % (schedule, value))
-        schedule.name = value
+        schedule.name = request.POST["name"]
 
     schedule.save()
 

ietf/meeting/tests_api.py

@@ -294,16 +294,13 @@ def test_update_schedule(self):
             'name': 'new-test-name',
         }
 
-        # unauthorized post
-        self.client.login(remote_user="plain")
+        # unauthorized posts
+        self.client.logout()
+        r = self.client.post(url, post_data)
+        self.assertEqual(r.status_code, 403)
+        self.client.login(remote_user="ad")
         r = self.client.post(url, post_data)
         self.assertEqual(r.status_code, 403)
-
-        # TODO - permission protection on this function are not right
-        # Normal users are prevented from changing public/private on their own schedule
-        # The secretariat can't change normal user's agendas settings for them, and the
-        # page at /meeting/<num>/schedule/<name>/details behaves badly for the secretariat
-        # (pushing save seems to do nothing as the POST 401s in the background)
 
         # change agenda
         self.client.login(remote_user="secretary")

ietf/meeting/views.py

@@ -12,7 +12,7 @@
 
 from django import forms
 from django.shortcuts import render_to_response, get_object_or_404, redirect
-from django.http import HttpResponse, Http404
+from django.http import HttpResponse, HttpResponseForbidden, Http404
 from django.core.urlresolvers import reverse
 from django.db.models import Q
 from django.template import RequestContext
@@ -322,11 +322,16 @@ def edit_agenda_properties(request, num=None, name=None):
     schedule = get_schedule(meeting, name)
     form     = AgendaPropertiesForm(instance=schedule)
 
-    return HttpResponse(render_to_string("meeting/properties_edit.html",
-                                         {"schedule":schedule,
-                                          "form":form,
-                                          "meeting":meeting},
-                                         RequestContext(request)), content_type="text/html")
+    cansee, canedit = agenda_permissions(meeting, schedule, request.user)
+
+    if not (canedit or has_role(request.user,'Secretariat')):
+        return HttpResponseForbidden("You may not edit this agenda")
+    else:
+        return HttpResponse(render_to_string("meeting/properties_edit.html",
+                                             {"schedule":schedule,
+                                              "form":form,
+                                              "meeting":meeting},
+                                             RequestContext(request)), content_type="text/html")
 
 ##############################################################################
 # show list of agendas.

ietf/secr/meetings/views.py

@@ -278,7 +278,8 @@ def add(request):
                                                owner   = Person.objects.get(name='(System)'),
                                                visible = True,
                                                public  = True)
-            meeting.set_official_agenda(schedule)
+            meeting.agenda = schedule
+            meeting.save()
 
             #Create Physical new meeting directory and subdirectories
             make_directories(meeting)