← Back to branch summary

~azzar1/unity/add-show-desktop-key

« back to all changes in this revision

Viewing changes to ivle/webapp/admin/publishing.py

  • Committer: William Grant
  • Date: 2009-12-02 02:20:57 UTC
  • mto: This revision was merged to the branch mainline in revision 1353.
  • Revision ID: grantw@unimelb.edu.au-20091202022057-m3w3rzrzp47y89to
Refuse to traverse through an object to which the user has no permissions. This stops information leakage in breadcrumbs.

Show diffs side-by-side

added added

removed removed

Lines of Context:
ivle/webapp/admin/publishing.py
17
17
 
18
18
from storm.locals import Store
19
19
 
20
 
from ivle.database import (
21
 
    Enrolment, Offering, ProjectSet, Project, Semester, Subject, User)
 
20
from ivle.database import Offering, ProjectSet, Project, Subject, User
22
21
 
23
22
from ivle.webapp import ApplicationRoot
24
23
from ivle.webapp.publisher import ROOT
34
33
def root_to_subject(root, name):
35
34
    return root.store.find(Subject, short_name=name).one()
36
35
 
37
 
@forward_route(ApplicationRoot, '+semesters', argc=2)
38
 
def root_to_semester(root, year, semester):
39
 
    return root.store.find(Semester, year=year, semester=semester).one()
40
 
 
41
36
@forward_route(Subject, argc=2)
42
37
def subject_to_offering(subject, year, semester):
43
38
    return subject.offering_for_semester(year, semester)
45
40
@forward_route(Offering, '+projects', argc=1)
46
41
def offering_to_project(offering, name):
47
42
    return Store.of(offering).find(Project,
48
 
                                   Project.short_name == name,
49
43
                                   Project.project_set_id == ProjectSet.id,
50
44
                                   ProjectSet.offering == offering).one()
51
45
 
52
46
@forward_route(Offering, '+projectsets', argc=1)
53
47
def offering_to_projectset(offering, name):
54
 
    try:
55
 
        ps_id = int(name)
56
 
    except ValueError:
57
 
        return None
58
48
    return Store.of(offering).find(ProjectSet,
59
 
                                   ProjectSet.id == ps_id,
60
49
                                   ProjectSet.offering == offering).one()
61
50
 
62
 
@forward_route(Offering, '+enrolments', argc=1)
63
 
def offering_to_enrolment(offering, login):
64
 
    return Store.of(offering).find(Enrolment,
65
 
                                   Enrolment.offering == offering,
66
 
                                   Enrolment.user_id == User.id,
67
 
                                   User.login == login).one()
68
 
 
69
51
@reverse_route(User)
70
52
def user_url(user):
71
53
    return (ROOT, '~' + user.login)
74
56
def subject_url(subject):
75
57
    return (ROOT, ('subjects', subject.short_name))
76
58
 
77
 
@reverse_route(Semester)
78
 
def semester_url(semester):
79
 
    return (ROOT, ('+semesters', semester.year, semester.semester))
80
 
 
81
59
@reverse_route(Offering)
82
60
def offering_url(offering):
83
61
    return (offering.subject, (offering.semester.year,
85
63
 
86
64
@reverse_route(ProjectSet)
87
65
def projectset_url(project_set):
88
 
    return (project_set.offering, ('+projectsets', str(project_set.id)))
 
66
    return (project_set.offering, ('+projectsets', project_set.name))
89
67
 
90
68
@reverse_route(Project)
91
69
def project_url(project):
92
 
    return (project.project_set.offering, ('+projects', project.short_name))
93
 
 
94
 
@reverse_route(Enrolment)
95
 
def enrolment_url(enrolment):
96
 
    return (enrolment.offering, ('+enrolments', enrolment.user.login))
 
70
    return (project.project_set.offering, ('+projects', project.name))