Commit 7f307ea1 authored by Daniel W Bond's avatar Daniel W Bond

changed method of forbidden returns

parent 4a347c18
# core django imports # core django imports
from core.models import Student
from django.http import HttpResponseForbidden
from django.contrib import messages from django.contrib import messages
from django.http import HttpResponse, HttpResponseRedirect from django.http import HttpResponse, HttpResponseForbidden, HttpResponseRedirect
from django.db import IntegrityError from django.db import IntegrityError
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.utils.safestring import mark_safe from django.utils.safestring import mark_safe
...@@ -13,6 +11,7 @@ from ratelimit.decorators import ratelimit ...@@ -13,6 +11,7 @@ from ratelimit.decorators import ratelimit
# imports from your apps # imports from your apps
from .forms import LookoutForm from .forms import LookoutForm
from .models import Lookout from .models import Lookout
from core.models import Student
class CreateLookout(LoginRequiredMixin, CreateView): class CreateLookout(LoginRequiredMixin, CreateView):
...@@ -55,16 +54,14 @@ class DetailLookout(LoginRequiredMixin, DetailView): ...@@ -55,16 +54,14 @@ class DetailLookout(LoginRequiredMixin, DetailView):
template_name = 'detail_lookout.html' template_name = 'detail_lookout.html'
login_url = 'login' login_url = 'login'
def get_context_data(self, **kwargs): def get(self, request, *args, **kwargs):
context = super(DetailLookout, self).get_context_data(**kwargs)
me = Student.objects.get(user=self.request.user) me = Student.objects.get(user=self.request.user)
lookout_student = self.get_object().owner lookout_student = self.get_object().owner
if not(lookout_student == me): if not(lookout_student == me):
return HttpResponseForbidden() return HttpResponseForbidden()
return context return super(DetailLookout, self).get(request, *args, **kwargs)
# updating is not neccessary since it's just literally an isbn and a course # updating is not neccessary since it's just literally an isbn and a course
...@@ -76,13 +73,11 @@ class DeleteLookout(LoginRequiredMixin, DeleteView): ...@@ -76,13 +73,11 @@ class DeleteLookout(LoginRequiredMixin, DeleteView):
success_url = '/' success_url = '/'
login_url = 'login' login_url = 'login'
def get_context_data(self, **kwargs): def get(self, request, *args, **kwargs):
context = super(DeleteLookout, self).get_context_data(**kwargs)
me = Student.objects.get(user=self.request.user) me = Student.objects.get(user=self.request.user)
lookout_student = self.get_object().owner lookout_student = self.get_object().owner
if not(lookout_student == me): if not(lookout_student == me):
return HttpResponseForbidden() return HttpResponseForbidden()
return context return super(DeleteLookout, self).get(request, *args, **kwargs)
...@@ -224,21 +224,27 @@ class CreateFlag(LoginRequiredMixin, CreateView): ...@@ -224,21 +224,27 @@ class CreateFlag(LoginRequiredMixin, CreateView):
context_object_name = 'flag' context_object_name = 'flag'
login_url = 'login' login_url = 'login'
def form_valid(self, form): def get(self, request, *args, **kwargs):
me = Student.objects.get(user=self.request.user) me = Student.objects.get(user=self.request.user)
# duplicated code!!!
current_url = self.request.get_full_path() current_url = self.request.get_full_path()
listing_slug = current_url.split('/')[3] listing_slug = current_url.split('/')[3]
# [u'', u'share', u'listing', u'C1s3oD', u'flag'] # [u'', u'share', u'listing', u'C1s3oD', u'flag']
selected_listing = Listing.objects.get(slug=listing_slug) selected_listing = Listing.objects.get(slug=listing_slug)
form.instance.flagger = me posting_student = selected_listing.poster
form.instance.listing = selected_listing
return super(CreateFlag, self).form_valid(form)
def get_success_url(self): # can only create a flag if you haven't previously created one
return reverse('detail_listing', if not can_flag(me, selected_listing):
kwargs={'slug': self.object.listing.slug}) # because the page shouldn't exist in this scenario
raise Http404
# you can't flag your own listing
if (posting_student == me):
return HttpResponseForbidden()
else:
return super(CreateFlag, self).get(request, *args, **kwargs)
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
context = super(CreateFlag, self).get_context_data(**kwargs) context = super(CreateFlag, self).get_context_data(**kwargs)
...@@ -250,28 +256,33 @@ class CreateFlag(LoginRequiredMixin, CreateView): ...@@ -250,28 +256,33 @@ class CreateFlag(LoginRequiredMixin, CreateView):
# [u'', u'share', u'listing', u'C1s3oD', u'flag'] # [u'', u'share', u'listing', u'C1s3oD', u'flag']
selected_listing = Listing.objects.get(slug=listing_slug) selected_listing = Listing.objects.get(slug=listing_slug)
posting_student = selected_listing.poster
# you can't flag your own listing
if (posting_student == me):
return HttpResponseForbidden()
# can only create a flag if you haven't previously created one
if not can_flag(me, selected_listing):
# because the page shouldn't exist in this scenario
raise Http404
context['listing'] = selected_listing context['listing'] = selected_listing
form = FlagForm() form = FlagForm()
context['my_form'] = form context['my_form'] = form
return context return context
def form_valid(self, form):
me = Student.objects.get(user=self.request.user)
current_url = self.request.get_full_path()
listing_slug = current_url.split('/')[3]
# [u'', u'share', u'listing', u'C1s3oD', u'flag']
selected_listing = Listing.objects.get(slug=listing_slug)
form.instance.flagger = me
form.instance.listing = selected_listing
return super(CreateFlag, self).form_valid(form)
@ratelimit(key='user', rate='5/m', method='POST', block=True) @ratelimit(key='user', rate='5/m', method='POST', block=True)
@ratelimit(key='user', rate='100/d', method='POST', block=True) @ratelimit(key='user', rate='100/d', method='POST', block=True)
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
return super(CreateFlag, self).post(request, *args, **kwargs) return super(CreateFlag, self).post(request, *args, **kwargs)
def get_success_url(self):
return reverse('detail_listing',
kwargs={'slug': self.object.listing.slug})
class DeleteFlag(LoginRequiredMixin, DeleteView): class DeleteFlag(LoginRequiredMixin, DeleteView):
model = Flag model = Flag
...@@ -279,21 +290,19 @@ class DeleteFlag(LoginRequiredMixin, DeleteView): ...@@ -279,21 +290,19 @@ class DeleteFlag(LoginRequiredMixin, DeleteView):
template_name = 'delete_flag.html' template_name = 'delete_flag.html'
login_url = 'login' login_url = 'login'
def get_success_url(self): def get(self, request, *args, **kwargs):
return reverse('detail_listing',
kwargs={'slug': self.object.listing.slug})
def get_context_data(self, **kwargs):
context = super(DeleteFlag, self).get_context_data(**kwargs)
me = Student.objects.get(user=self.request.user) me = Student.objects.get(user=self.request.user)
flag_student = self.get_object().flagger flag_student = self.get_object().flagger
# if you didn't create the flag, you can't delete the flag # if you didn't create the flag, you can't delete the flag
if not(me == flag_student): if not(flag_student == me):
return HttpResponseForbidden() return HttpResponseForbidden()
else:
return super(DeleteFlag, self).get(request, *args, **kwargs)
return context def get_success_url(self):
return reverse('detail_listing',
kwargs={'slug': self.object.listing.slug})
# not implemented -- tbd # not implemented -- tbd
...@@ -309,31 +318,28 @@ class EditBid(LoginRequiredMixin, FormValidMessageMixin, UpdateView): ...@@ -309,31 +318,28 @@ class EditBid(LoginRequiredMixin, FormValidMessageMixin, UpdateView):
template_name = 'bid_edit.html' template_name = 'bid_edit.html'
context_object_name = 'bid' context_object_name = 'bid'
# form_class = EditBidForm # form_class = EditBidForm
login_url = 'login'
form_valid_message = "Your bid was successfully updated!"
fields = ['price', 'text', ] fields = ['price', 'text', ]
def get_success_url(self): login_url = 'login'
return reverse('detail_listing',
kwargs={'slug': self.object.listing.slug})
def get_context_data(self, **kwargs): form_valid_message = "Your bid was successfully updated!"
context = super(EditBid, self).get_context_data(**kwargs)
def get(self, request, *args, **kwargs):
me = Student.objects.get(user=self.request.user) me = Student.objects.get(user=self.request.user)
bidding_student = self.get_object().bidder bidding_student = self.get_object().bidder
if not(bidding_student == me):
return HttpResponseForbidden()
# if exchanged or cancelled, this page doesn't exist # if exchanged or cancelled, this page doesn't exist
if self.get_object().listing.exchanged or self.get_object().listing.cancelled: if self.get_object().listing.exchanged or self.get_object().listing.cancelled:
raise Http404 raise Http404
return context if not(bidding_student == me):
return HttpResponseForbidden()
else:
return super(EditBid, self).get(request, *args, **kwargs)
def get_success_url(self):
return reverse('detail_listing',
kwargs={'slug': self.object.listing.slug})
class EditListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView): class EditListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView):
...@@ -341,12 +347,24 @@ class EditListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView): ...@@ -341,12 +347,24 @@ class EditListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView):
template_name = 'listing_edit.html' template_name = 'listing_edit.html'
context_object_name = 'listing' context_object_name = 'listing'
# form_class = EditListingForm # form_class = EditListingForm
fields = ['title', 'author', 'isbn', 'year', 'edition', 'condition',
'access_code', 'description', 'price', 'photo', ]
login_url = 'login' login_url = 'login'
form_valid_message = "Your listing was successfully updated!" form_valid_message = "Your listing was successfully updated!"
fields = ['title', 'author', 'isbn', 'year', 'edition', 'condition', def get(self, request, *args, **kwargs):
'access_code', 'description', 'price', 'photo', ] me = Student.objects.get(user=self.request.user)
posting_student = self.get_object().poster
if (self.get_object().cancelled is True):
raise Http404
if not(posting_student == me):
return HttpResponseForbidden()
else:
return super(EditListing, self).get(request, *args, **kwargs)
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
context = super(EditListing, self).get_context_data(**kwargs) context = super(EditListing, self).get_context_data(**kwargs)
...@@ -369,6 +387,33 @@ class ExchangeListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView): ...@@ -369,6 +387,33 @@ class ExchangeListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView):
form_valid_message = "Your email was successfully sent!" form_valid_message = "Your email was successfully sent!"
def get(self, request, *args, **kwargs):
me = Student.objects.get(user=self.request.user)
posting_student = self.get_object().poster
bid_count = Bid.objects.filter(listing=self.get_object).count()
if bid_count < 1:
# because the page shouldn't exist in this scenario
raise Http404
if (self.get_object().cancelled is True):
raise Http404
if not(posting_student == me):
return HttpResponseForbidden()
else:
return super(ExchangeListing, self).get(request, *args, **kwargs)
def get_context_data(self, **kwargs):
context = super(ExchangeListing, self).get_context_data(**kwargs)
form = ExchangeListingForm()
form.fields['winning_bid'].queryset = Bid.objects.filter(listing=self.get_object())
context['my_form'] = form
return context
def form_valid(self, form): def form_valid(self, form):
# filling out fields # filling out fields
today = date.today() today = date.today()
...@@ -408,27 +453,6 @@ class ExchangeListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView): ...@@ -408,27 +453,6 @@ class ExchangeListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView):
return super(ExchangeListing, self).form_valid(form) return super(ExchangeListing, self).form_valid(form)
def get_context_data(self, **kwargs):
context = super(ExchangeListing, self).get_context_data(**kwargs)
me = Student.objects.get(user=self.request.user)
posting_student = self.get_object().poster
if not(posting_student == me):
return HttpResponseForbidden()
bid_count = Bid.objects.filter(listing=self.get_object).count()
if bid_count < 1:
# because the page shouldn't exist in this scenario
raise Http404
form = ExchangeListingForm()
form.fields['winning_bid'].queryset = Bid.objects.filter(listing=self.get_object())
context['my_form'] = form
return context
@ratelimit(key='user', rate='5/m', method='POST', block=True) @ratelimit(key='user', rate='5/m', method='POST', block=True)
@ratelimit(key='user', rate='50/d', method='POST', block=True) @ratelimit(key='user', rate='50/d', method='POST', block=True)
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
...@@ -445,6 +469,26 @@ class UnExchangeListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView): ...@@ -445,6 +469,26 @@ class UnExchangeListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView):
form_valid_message = """Your exchange has been successfully cancelled, form_valid_message = """Your exchange has been successfully cancelled,
and your email successfully sent!""" and your email successfully sent!"""
def get(self, request, *args, **kwargs):
me = Student.objects.get(user=self.request.user)
posting_student = self.get_object().poster
if (self.get_object().cancelled is True):
raise Http404
if not(posting_student == me):
return HttpResponseForbidden()
else:
return super(UnExchangeListing, self).get(request, *args, **kwargs)
def get_context_data(self, **kwargs):
context = super(UnExchangeListing, self).get_context_data(**kwargs)
form = UnExchangeListingForm()
context['my_form'] = form
return context
def form_valid(self, form): def form_valid(self, form):
self.obj = self.get_object() self.obj = self.get_object()
text_email = get_template('email/unexchanged.txt') text_email = get_template('email/unexchanged.txt')
...@@ -482,20 +526,6 @@ class UnExchangeListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView): ...@@ -482,20 +526,6 @@ class UnExchangeListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView):
return super(UnExchangeListing, self).form_valid(form) return super(UnExchangeListing, self).form_valid(form)
def get_context_data(self, **kwargs):
context = super(UnExchangeListing, self).get_context_data(**kwargs)
me = Student.objects.get(user=self.request.user)
posting_student = self.get_object().poster
if not(posting_student == me):
return HttpResponseForbidden()
form = UnExchangeListingForm()
context['my_form'] = form
return context
@ratelimit(key='user', rate='5/m', method='POST', block=True) @ratelimit(key='user', rate='5/m', method='POST', block=True)
@ratelimit(key='user', rate='50/d', method='POST', block=True) @ratelimit(key='user', rate='50/d', method='POST', block=True)
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
...@@ -512,23 +542,25 @@ class CancelListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView): ...@@ -512,23 +542,25 @@ class CancelListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView):
form_valid_message = "Your listing was successfully cancelled!" form_valid_message = "Your listing was successfully cancelled!"
def form_valid(self, form): def get(self, request, *args, **kwargs):
today = date.today()
form.instance.cancelled = True
form.instance.date_closed = today
return super(CancelListing, self).form_valid(form)
def get_context_data(self, **kwargs):
context = super(CancelListing, self).get_context_data(**kwargs)
me = Student.objects.get(user=self.request.user) me = Student.objects.get(user=self.request.user)
posting_student = self.get_object().poster posting_student = self.get_object().poster
# you can only cancel the listing if the listing isn't already cancelled
if (self.get_object().cancelled is True):
raise Http404
if not(posting_student == me): if not(posting_student == me):
return HttpResponseForbidden() return HttpResponseForbidden()
else:
return super(CancelListing, self).get(request, *args, **kwargs)
return context def form_valid(self, form):
today = date.today()
form.instance.cancelled = True
form.instance.date_closed = today
return super(CancelListing, self).form_valid(form)
class ReopenListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView): class ReopenListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView):
...@@ -541,21 +573,23 @@ class ReopenListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView): ...@@ -541,21 +573,23 @@ class ReopenListing(LoginRequiredMixin, FormValidMessageMixin, UpdateView):
form_valid_message = "Your listing was successfully reopened!" form_valid_message = "Your listing was successfully reopened!"
def form_valid(self, form): def get(self, request, *args, **kwargs):
form.instance.cancelled = False
form.instance.date_closed = None
return super(ReopenListing, self).form_valid(form)
def get_context_data(self, **kwargs):
context = super(ReopenListing, self).get_context_data(**kwargs)
me = Student.objects.get(user=self.request.user) me = Student.objects.get(user=self.request.user)
posting_student = self.get_object().poster posting_student = self.get_object().poster
# you can only reopen the listing if the listing is cancelled
if (self.get_object().cancelled is False):
raise Http404
if not(posting_student == me): if not(posting_student == me):
return HttpResponseForbidden() return HttpResponseForbidden()
else:
return super(ReopenListing, self).get(request, *args, **kwargs)
return context def form_valid(self, form):
form.instance.cancelled = False
form.instance.date_closed = None
return super(ReopenListing, self).form_valid(form)
class CreateRating(LoginRequiredMixin, CreateView): class CreateRating(LoginRequiredMixin, CreateView):
...@@ -565,21 +599,27 @@ class CreateRating(LoginRequiredMixin, CreateView): ...@@ -565,21 +599,27 @@ class CreateRating(LoginRequiredMixin, CreateView):
context_object_name = 'rating' context_object_name = 'rating'
login_url = 'login' login_url = 'login'
def form_valid(self, form): def get(self, request, *args, **kwargs):
me = Student.objects.get(user=self.request.user) me = Student.objects.get(user=self.request.user)
# duplicated code!!!
current_url = self.request.get_full_path() current_url = self.request.get_full_path()
listing_slug = current_url.split('/')[3] listing_slug = current_url.split('/')[3]
# [u'', u'share', u'listing', u'C1s3oD', u'flag'] # [u'', u'share', u'listing', u'C1s3oD', u'flag']
selected_listing = Listing.objects.get(slug=listing_slug) selected_listing = Listing.objects.get(slug=listing_slug)
form.instance.rater = me winning_student = selected_listing.winning_bid.bidder
form.instance.listing = selected_listing
return super(CreateRating, self).form_valid(form)
def get_success_url(self): # can only create a rating if you haven't previously created one
return reverse('ratings', if not can_rate(me, selected_listing):
kwargs={'slug': self.object.listing.poster.slug}) # because the page shouldn't exist in this scenario
raise Http404
# you can only rate a listing that you won
if not (winning_student == me):
return HttpResponseForbidden()
else:
return super(CreateRating, self).get(request, *args, **kwargs)
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
context = super(CreateRating, self).get_context_data(**kwargs) context = super(CreateRating, self).get_context_data(**kwargs)
...@@ -593,26 +633,33 @@ class CreateRating(LoginRequiredMixin, CreateView): ...@@ -593,26 +633,33 @@ class CreateRating(LoginRequiredMixin, CreateView):
winning_student = selected_listing.winning_bid.bidder winning_student = selected_listing.winning_bid.bidder
# you can only rate a listing that you won
if not (winning_student == me):
return HttpResponseForbidden()
# can only create a rating if you haven't previously created one
if not can_rate(me, selected_listing):
# because the page shouldn't exist in this scenario
raise Http404
context['listing'] = selected_listing context['listing'] = selected_listing
form = RatingForm() form = RatingForm()
context['my_form'] = form context['my_form'] = form
return context return context
def form_valid(self, form):
me = Student.objects.get(user=self.request.user)
current_url = self.request.get_full_path()
listing_slug = current_url.split('/')[3]
# [u'', u'share', u'listing', u'C1s3oD', u'flag']
selected_listing = Listing.objects.get(slug=listing_slug)
form.instance.rater = me
form.instance.listing = selected_listing
return super(CreateRating, self).form_valid(form)
# no per-day limit because you can only rate listings you've exchanged # no per-day limit because you can only rate listings you've exchanged
@ratelimit(key='user', rate='5/m', method='POST', block=True) @ratelimit(key='user', rate='5/m', method='POST', block=True)
def post(self, request, *args, **kwargs): def post(self, request, *args, **kwargs):
return super(CreateRating, self).post(request, *args, **kwargs) return super(CreateRating, self).post(request, *args, **kwargs)