acces securise aux fichiers

diff --git a/project/dae/urls.py b/project/dae/urls.py
index f479475..440c66e 100644 (file)
--- a/project/dae/urls.py
+++ b/project/dae/urls.py
@@ -1,8 +1,10 @@
 # -*- encoding: utf-8 -*
 from django.conf.urls.defaults import patterns, url, include
+from django.conf import settings
 
 urlpatterns = patterns(
     'project.dae.views',
+    (r'^prive/(?P<path>.*)$', 'mediaserve', {'document_root': settings.PRIVE_MEDIA_ROOT}),
     url(r'^$', 'index', name='dae_index'),
 
     # poste

diff --git a/project/dae/views.py b/project/dae/views.py
index b8dae9e..11a6e10 100644 (file)
--- a/project/dae/views.py
+++ b/project/dae/views.py
@@ -11,6 +11,7 @@ import warnings
 from django.core.urlresolvers import reverse
 from django.http import Http404, HttpResponse, HttpResponseGone
 from django.shortcuts import redirect, render_to_response, get_object_or_404
+from django.views.static import serve
 from django.template import Context, RequestContext
 from django.template.loader import get_template
 from django.contrib import messages
@@ -30,6 +31,7 @@ from decorators import dae_groupe_requis, \
                        poste_est_modifiable
 from forms import *
 from workflow import POSTE_ETAT_DRH_FINALISATION, DOSSIER_ETAT_REFUSE
+from decorators import redirect_interdiction
 
 def devises():
     liste = []
@@ -668,3 +670,28 @@ def liste_valeurs_point(request):
         data.append({'id' : o.id, 'label' : o.__unicode__(), })
     return HttpResponse(dumps(data))
 
+################################################################################
+# MEDIA PRIVE
+################################################################################
+
+def mediaserve(request, path, document_root=None, show_indexes=False):
+    """
+    Sécuriser l'accès aux fichiers uploadés
+    """
+    ct, id, filename = path.split('/')
+
+    grant_ok = False
+    user = request.user
+    if not user.is_authenticated():
+        return redirect_interdiction(request)
+
+    if ct == 'poste':
+        grant_ok = dae.Poste.objects.ma_region_ou_service(user).filter(id=id).count() > 0
+    if ct == 'dossier':
+        grant_ok = dae.Dossier.objects.ma_region_ou_service(user).filter(id=id).count() > 0
+
+    if not grant_ok:
+        return redirect_interdiction(request)
+
+    return serve(request, path, document_root, show_indexes)
+

diff --git a/project/settings.py b/project/settings.py
index feab8b3..9afabae 100644 (file)
--- a/project/settings.py
+++ b/project/settings.py
@@ -27,7 +27,7 @@ PRIVE_MEDIA_ROOT = os.path.join(os.path.dirname(__file__), 'media_prive')
 # trailing slash if there is a path component (optional in other cases).
 # Examples: "http://media.lawrence.com", "http://example.com/media/"
 MEDIA_URL = '/media/'
-PRIVE_MEDIA_URL = '/prive/'
+PRIVE_MEDIA_URL = '/dae/prive/'
 
 
 # URL prefix for admin media -- CSS, JavaScript and images. Make sure to use a

diff --git a/project/urls.py b/project/urls.py
index 9525657..79c1c6a 100644 (file)
--- a/project/urls.py
+++ b/project/urls.py
@@ -16,7 +16,6 @@ urlpatterns = patterns(
     (r'^deconnexion/$', 'django.contrib.auth.views.logout'),
     (r'^dae/', include('project.dae.urls')),
     (r'^', include('project.rh.urls')),
-    (r'^prive/(?P<path>.*)$', 'django.views.static.serve', {'document_root': settings.PRIVE_MEDIA_ROOT}),
 )
 
 if settings.DEBUG: