Basic permission logic

src/tixl/settings.py

@@ -52,7 +52,7 @@ MIDDLEWARE_CLASSES = (
     'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
-    'tixlcontrol.middleware.LoginRequiredMiddleware',
+    'tixlcontrol.middleware.PermissionMiddleware',
 )
 
 TEMPLATE_CONTEXT_PROCESSORS = (

src/tixlcontrol/context.py

@@ -3,7 +3,9 @@ from django.core.urlresolvers import resolve
 
 
 def contextprocessor(request):
-    return {
+    ctx = {
         'url_name': resolve(request.path_info).url_name,
         'settings': settings,
     }
+
+    return ctx

src/tixlcontrol/middleware.py

@@ -4,13 +4,18 @@ from django.utils.encoding import force_str
 from django.utils.six.moves.urllib.parse import urlparse
 from django.shortcuts import resolve_url
 from django.contrib.auth import REDIRECT_FIELD_NAME
+from django.http import HttpResponseNotFound
+
+from tixlbase.models import Event
 
 
-class LoginRequiredMiddleware:
+class PermissionMiddleware:
 
     """
     This middleware enforces all requests to the control app
     to require login.
+    Additionally, it enforces all requests to "control:event." URLs
+    to be for an event the user has basic access to.
     """
 
     EXCEPTIONS = (
@@ -18,10 +23,12 @@ class LoginRequiredMiddleware:
     )
 
     def process_request(self, request):
+        url = resolve(request.path_info)
+        url_namespace = url.namespace
+        url_name = url.url_name
+        if url_namespace != 'control' or url_name in self.EXCEPTIONS:
+            return
         if not request.user.is_authenticated():
-            url_namespace = resolve(request.path_info).namespace
-            url_name = resolve(request.path_info).url_name
-            if url_namespace == 'control' and url_name not in self.EXCEPTIONS:
             # Taken from django/contrib/auth/decorators.py
             path = request.build_absolute_uri()
             # urlparse chokes on lazy objects in Python 3, force to str
@@ -37,3 +44,13 @@ class LoginRequiredMiddleware:
             from django.contrib.auth.views import redirect_to_login
             return redirect_to_login(
                 path, resolved_login_url, REDIRECT_FIELD_NAME)
+
+        if 'event.' in url_name and 'event' in url.kwargs:
+            try:
+                request.event = Event.objects.get(
+                    slug=url.kwargs['event'],
+                    permitted__id__exact=request.user.id
+                )
+            except:
+                return HttpResponseNotFound(_("The selected event was not found or you have no permission to administrate it."))
+

src/tixlcontrol/templates/tixlcontrol/events/index.html

@@ -16,7 +16,7 @@
 		<tbody>
 			{% for e in events %}
 			<tr>
-				<td><strong><a href="">{{ e.name }}</a></strong></td>
+				<td><strong><a href="{% url "control:event.index" event=e.slug %}">{{ e.name }}</a></strong></td>
 				<td>{{ e.organizer }}</td>
 				<td>{{ e.get_date_from_display }}</td>
 				<td>{{ e.get_date_to_display }}</td>

src/tixlcontrol/urls.py

@@ -3,6 +3,7 @@ from tixlcontrol.views import main
 
 urlpatterns = patterns('',
     url(r'^$', 'tixlcontrol.views.main.index', name='index'),
+    url(r'^event/(?P<event>\w+)/$', 'tixlcontrol.views.event.index', name='event.index'),
     url(r'^events/$', main.EventList.as_view(), name='events'),
     url(r'^logout$', 'tixlcontrol.views.auth.logout', name='auth.logout'),
     url(r'^login$', 'tixlcontrol.views.auth.login', name='auth.login'),

src/tixlcontrol/views/event.py

@@ -0,0 +1,5 @@
+from django.shortcuts import render
+
+
+def index(request, event):
+    pass