Don't show edit/create page buttons and page git changes when user doesn't have required permissions

waliki/git/views.py

@@ -12,9 +12,10 @@
 from django.utils.encoding import smart_text
 from django.utils.six import StringIO, text_type
 from django.views.decorators.csrf import csrf_exempt
+from django.contrib.auth.models import AnonymousUser
 from waliki.models import Page
 from waliki.forms import PageForm
-from waliki.acl import permission_required
+from waliki.acl import permission_required, check_perms
 from waliki import settings
 from . import Git
 from django.contrib.syndication.views import Feed
@@ -97,6 +98,9 @@ def whatchanged(request, pag=1):
                 page = Page.objects.get(path=path)
             except Page.DoesNotExist:
                 continue
+            if not check_perms('view_page', request.user, page.slug):
+                # Don't show changes on pages that user can't see
+                continue
             changes.append({'page': page, 'author': version[0],
                             'version': version[2], 'message': version[3],
                             'date': datetime.fromtimestamp(int(version[4]))})
@@ -119,6 +123,9 @@ def items(self):
                     page = Page.objects.get(path=path)
                 except Page.DoesNotExist:
                     continue
+                if not check_perms('view_page', AnonymousUser(), page.slug):
+                    # Don't show changes on pages that anonymous user can't see
+                    continue
                 changes.append({'page': page, 'author': version[0],
                                 'version': version[2], 'message': version[3],
                                 'date': datetime.fromtimestamp(int(version[4])),

waliki/templates/waliki/detail.html

@@ -27,7 +27,10 @@
 
             {% block main_action %}
 
+            {% check_perms "edit_page" for request.user in slug as "can_edit" %}
+            {% if can_edit %}
             <a href="{% if page %}{% url 'waliki_edit' slug=page.slug|default:slug %}{% else %}#{% endif %}" class="btn btn-default {% if not page %}disabled{% endif %}">{% trans "Edit" %}</a>
+            {% endif %}
 
 
             {% endblock main_action %}
@@ -64,7 +67,10 @@
         {{ page.body|safe }}
     {% else %}
         <p>{% trans "This page doesn't exist yet." %}</p>
+        {% check_perms "edit_page" for request.user in slug as "can_edit" %}
+        {% if can_edit %}
         <p><form action="{% url 'waliki_edit' slug=page.slug|default:slug %}" method="post">{% csrf_token %}<button type="submit" class="btn btn-success">{% trans "Create it" %}</button></form></p>
+        {% endif %}
     {% endif %}
 
 

waliki/views.py

@@ -10,7 +10,7 @@
 from .forms import PageForm, MovePageForm, DeleteForm, NewPageForm
 from .signals import page_saved, page_preedit, page_moved
 from ._markups import get_all_markups
-from .acl import permission_required
+from .acl import permission_required, check_perms
 from . import settings
 
 
@@ -57,6 +57,8 @@ def detail(request, slug, raw=False):
         page = Page.objects.get(slug=slug)
     except Page.DoesNotExist:
         page = None
+        if not check_perms('add_page', request.user, slug):
+            raise Http404
     if raw and page:
         return HttpResponse(page.raw, content_type='text/plain; charset=utf-8')
     elif raw: