1
by Martin Mahner
Initial structure and data |
1 |
from django.shortcuts import render_to_response, get_object_or_404 |
2 |
from django.views.decorators.http import require_POST |
|
3 |
from django.http import HttpResponseRedirect |
|
4 |
from django.db.models.loading import get_model |
|
5 |
from django.core.urlresolvers import reverse |
|
6 |
from django.utils.translation import ugettext, ugettext_lazy as _ |
|
7 |
from django.template.context import RequestContext |
|
20
by Martin Mahner
The views now require that the user is logged in. Before that, a non-authenticated user could add an attachments (if he guesses the url) which would raised an exception. |
8 |
from django.contrib.auth.decorators import login_required |
1
by Martin Mahner
Initial structure and data |
9 |
from attachments.models import Attachment |
10 |
from attachments.forms import AttachmentForm |
|
11 |
||
12 |
def add_url_for_obj(obj): |
|
13 |
return reverse('add_attachment', kwargs={ |
|
14 |
'app_label': obj._meta.app_label, |
|
15 |
'module_name': obj._meta.module_name, |
|
16 |
'pk': obj.pk |
|
17 |
})
|
|
18 |
||
19 |
@require_POST
|
|
20
by Martin Mahner
The views now require that the user is logged in. Before that, a non-authenticated user could add an attachments (if he guesses the url) which would raised an exception. |
20 |
@login_required
|
1
by Martin Mahner
Initial structure and data |
21 |
def add_attachment(request, app_label, module_name, pk, |
22 |
template_name='attachments/add.html', extra_context={}): |
|
23 |
||
10
by Martin Mahner
The add-view now redirects to the homepage if a nasty user alteres the url. |
24 |
next = request.POST.get('next', '/') |
1
by Martin Mahner
Initial structure and data |
25 |
model = get_model(app_label, module_name) |
10
by Martin Mahner
The add-view now redirects to the homepage if a nasty user alteres the url. |
26 |
if model is None: |
27 |
return HttpResponseRedirect(next) |
|
1
by Martin Mahner
Initial structure and data |
28 |
obj = get_object_or_404(model, pk=pk) |
29 |
form = AttachmentForm(request.POST, request.FILES) |
|
30 |
||
31 |
if form.is_valid(): |
|
32 |
form.save(request, obj) |
|
33 |
request.user.message_set.create(message=ugettext('Your attachment was uploaded.')) |
|
34 |
return HttpResponseRedirect(next) |
|
35 |
else: |
|
36 |
template_context = { |
|
37 |
'form': form, |
|
38 |
'form_url': add_url_for_obj(obj), |
|
39 |
'next': next, |
|
40 |
}
|
|
41 |
template_context.update(extra_context) |
|
42 |
return render_to_response(template_name, template_context, |
|
43 |
RequestContext(request)) |
|
44 |
||
20
by Martin Mahner
The views now require that the user is logged in. Before that, a non-authenticated user could add an attachments (if he guesses the url) which would raised an exception. |
45 |
@login_required
|
1
by Martin Mahner
Initial structure and data |
46 |
def delete_attachment(request, attachment_pk): |
47 |
g = get_object_or_404(Attachment, pk=attachment_pk) |
|
6
by Martin Mahner
Added further README, changed permission checkup order. |
48 |
if request.user.has_perm('delete_foreign_attachments') \ |
49 |
or request.user == g.creator: |
|
1
by Martin Mahner
Initial structure and data |
50 |
g.delete() |
51 |
request.user.message_set.create(message=ugettext('Your attachment was deleted.')) |
|
52 |
next = request.REQUEST.get('next') or '/' |
|
53 |
return HttpResponseRedirect(next) |