Merge pull request #173 from brack3t/pr/145

Pr/145

Author: chrisjones-brack3t

braces/views/_access.py

@@ -1,3 +1,4 @@
+import inspect
 import datetime
 import re
 import six
@@ -7,20 +8,29 @@
 from django.contrib.auth.views import redirect_to_login, logout_then_login
 from django.core.exceptions import ImproperlyConfigured, PermissionDenied
 from django.http import (HttpResponseRedirect, HttpResponsePermanentRedirect,
-                         Http404)
+                         Http404, HttpResponse)
 from django.shortcuts import resolve_url
 from django.utils.encoding import force_text
 from django.utils.timezone import now
 
+# StreamingHttpResponse has been added in 1.5, and gets used for verification
+# only.
+try:
+    from django.http import StreamingHttpResponse
+except ImportError:
+    class StreamingHttpResponse(object):
+        pass
+
 
 class AccessMixin(object):
     """
     'Abstract' mixin that gives access mixins the same customizable
     functionality.
     """
     login_url = None
-    raise_exception = False  # Default whether to raise an exception to none
+    raise_exception = False
     redirect_field_name = REDIRECT_FIELD_NAME  # Set by django.contrib.auth
+    redirect_unauthenticated_users = False
 
     def get_login_url(self):
         """
@@ -46,6 +56,30 @@ def get_redirect_field_name(self):
                     self.__class__.__name__))
         return self.redirect_field_name
 
+    def handle_no_permission(self, request):
+        if self.raise_exception and not self.redirect_unauthenticated_users:
+            if (inspect.isclass(self.raise_exception)
+                    and issubclass(self.raise_exception, Exception)):
+                raise self.raise_exception
+            if callable(self.raise_exception):
+                ret = self.raise_exception(request)
+                if isinstance(ret, (HttpResponse, StreamingHttpResponse)):
+                    return ret
+            raise PermissionDenied
+
+        return self.no_permissions_fail(request)
+
+    def no_permissions_fail(self, request=None):
+        """
+        Called when the user has no permissions and no exception was raised.
+        This should only return a valid HTTP response.
+
+        By default we redirect to login.
+        """
+        return redirect_to_login(request.get_full_path(),
+                                 self.get_login_url(),
+                                 self.get_redirect_field_name())
+
 
 class LoginRequiredMixin(AccessMixin):
     """
@@ -56,17 +90,9 @@ class LoginRequiredMixin(AccessMixin):
         combined with CsrfExemptMixin - which in that case should
         be the left-most mixin.
     """
-    redirect_unauthenticated_users = False
-
     def dispatch(self, request, *args, **kwargs):
         if not request.user.is_authenticated():
-            if (self.raise_exception and
-                    not self.redirect_unauthenticated_users):
-                raise PermissionDenied  # return a forbidden response
-            else:
-                return redirect_to_login(request.get_full_path(),
-                                         self.get_login_url(),
-                                         self.get_redirect_field_name())
+            return self.handle_no_permission(request)
 
         return super(LoginRequiredMixin, self).dispatch(
             request, *args, **kwargs)
@@ -157,28 +183,15 @@ def check_permissions(self, request):
         perms = self.get_permission_required(request)
         return request.user.has_perm(perms)
 
-    def no_permissions_fail(self, request=None):
-        """
-        Called when the user has no permissions. This should only
-        return a valid HTTP response.
-
-        By default we redirect to login.
-        """
-        return redirect_to_login(request.get_full_path(),
-                                 self.get_login_url(),
-                                 self.get_redirect_field_name())
-
     def dispatch(self, request, *args, **kwargs):
         """
         Check to see if the user in the request has the required
         permission.
         """
         has_permission = self.check_permissions(request)
 
-        if not has_permission:  # If the user lacks the permission
-            if self.raise_exception:
-                raise PermissionDenied  # Return a 403
-            return self.no_permissions_fail(request)
+        if not has_permission:
+            return self.handle_no_permission(request)
 
         return super(PermissionRequiredMixin, self).dispatch(
             request, *args, **kwargs)
@@ -318,13 +331,8 @@ def dispatch(self, request, *args, **kwargs):
             in_group = self.check_membership(self.get_group_required())
 
         if not in_group:
-            if self.raise_exception:
-                raise PermissionDenied
-            else:
-                return redirect_to_login(
-                    request.get_full_path(),
-                    self.get_login_url(),
-                    self.get_redirect_field_name())
+            return self.handle_no_permission(request)
+
         return super(GroupRequiredMixin, self).dispatch(
             request, *args, **kwargs)
 
@@ -354,13 +362,9 @@ def get_test_func(self):
     def dispatch(self, request, *args, **kwargs):
         user_test_result = self.get_test_func()(request.user)
 
-        if not user_test_result:  # If user don't pass the test
-            if self.raise_exception:  # *and* if an exception was desired
-                raise PermissionDenied
-            else:
-                return redirect_to_login(request.get_full_path(),
-                                         self.get_login_url(),
-                                         self.get_redirect_field_name())
+        if not user_test_result:
+            return self.handle_no_permission(request)
+
         return super(UserPassesTestMixin, self).dispatch(
             request, *args, **kwargs)
 
@@ -370,13 +374,8 @@ class SuperuserRequiredMixin(AccessMixin):
     Mixin allows you to require a user with `is_superuser` set to True.
     """
     def dispatch(self, request, *args, **kwargs):
-        if not request.user.is_superuser:  # If the user is a standard user,
-            if self.raise_exception:  # *and* if an exception was desired
-                raise PermissionDenied  # return a forbidden response.
-            else:
-                return redirect_to_login(request.get_full_path(),
-                                         self.get_login_url(),
-                                         self.get_redirect_field_name())
+        if not request.user.is_superuser:
+            return self.handle_no_permission(request)
 
         return super(SuperuserRequiredMixin, self).dispatch(
             request, *args, **kwargs)
@@ -387,13 +386,8 @@ class StaffuserRequiredMixin(AccessMixin):
     Mixin allows you to require a user with `is_staff` set to True.
     """
     def dispatch(self, request, *args, **kwargs):
-        if not request.user.is_staff:  # If the request's user is not staff,
-            if self.raise_exception:  # *and* if an exception was desired
-                raise PermissionDenied  # return a forbidden response
-            else:
-                return redirect_to_login(request.get_full_path(),
-                                         self.get_login_url(),
-                                         self.get_redirect_field_name())
+        if not request.user.is_staff:
+            return self.handle_no_permission(request)
 
         return super(StaffuserRequiredMixin, self).dispatch(
             request, *args, **kwargs)

docs/access.rst

@@ -6,10 +6,22 @@ These mixins all control a user's access to a given view. Since many of them ext
 ::
 
     login_url = settings.LOGIN_URL
-    redirect_field_name = REDIRECT_FIELD_NAME
     raise_exception = False
+    redirect_field_name = REDIRECT_FIELD_NAME
+    redirect_unauthenticated_users = False
+
+The ``raise_exception`` attribute allows for these scenarios, in case a
+permission is denied:
+
+    * ``False`` (default): redirects to the provided login view.
+    * ``True``: raises a ``PermissionDenied`` exception.
+    * A subclass of ``Exception``: raises this exception.
+    * A callable: gets called with the ``request`` argument.
+      The function has to return a ``HttpResponse`` or
+      ``StreamingHttpResponse`` (Django 1.5+), otherwise a ``PermissionDenied``
+      exception gets raised.
 
-The ``raise_exception`` attribute will cause the view to raise a ``PermissionDenied`` exception if it is set to ``True``, otherwise the view will redirect to the login view provided.
+This gets done in ``handle_no_permission``, which can be overridden itself.
 
 .. contents::
 

tests/test_access_mixins.py

@@ -9,6 +9,7 @@
 from django.test.utils import override_settings
 from django.core.exceptions import ImproperlyConfigured, PermissionDenied
 from django.core.urlresolvers import reverse_lazy
+from django.http import Http404, HttpResponse
 
 from .compat import force_text
 from .factories import GroupFactory, UserFactory
@@ -70,6 +71,75 @@ def test_raise_permission_denied(self):
         with self.assertRaises(PermissionDenied):
             self.dispatch_view(req, raise_exception=True)
 
+    def test_raise_custom_exception(self):
+        """
+        Http404 should be raised if user is not authorized and
+        raise_exception attribute is set to Http404.
+        """
+        user = self.build_unauthorized_user()
+        req = self.build_request(user=user, path=self.view_url)
+
+        with self.assertRaises(Http404):
+            self.dispatch_view(req, raise_exception=Http404)
+
+    def test_raise_func_pass(self):
+        """
+        An exception should be raised if user is not authorized and
+        raise_exception attribute is set to a function that returns nothing.
+        """
+        user = self.build_unauthorized_user()
+        req = self.build_request(user=user, path=self.view_url)
+
+        def func(request):
+            pass
+
+        with self.assertRaises(PermissionDenied):
+            self.dispatch_view(req, raise_exception=func)
+
+    def test_raise_func_response(self):
+        """
+        A custom response should be returned if user is not authorized and
+        raise_exception attribute is set to a function that returns a response.
+        """
+        user = self.build_unauthorized_user()
+        req = self.build_request(user=user, path=self.view_url)
+
+        def func(request):
+            return HttpResponse("CUSTOM")
+
+        resp = self.dispatch_view(req, raise_exception=func)
+        assert resp.status_code == 200
+        assert force_text(resp.content) == 'CUSTOM'
+
+    def test_raise_func_false(self):
+        """
+        PermissionDenied should be raised, if a custom raise_exception
+        function does not return HttpResponse or StreamingHttpResponse.
+        """
+        user = self.build_unauthorized_user()
+        req = self.build_request(user=user, path=self.view_url)
+
+        def func(request):
+            return False
+
+        with self.assertRaises(PermissionDenied):
+            self.dispatch_view(req, raise_exception=func)
+
+    def test_raise_func_raises(self):
+        """
+        A custom exception should be raised if user is not authorized and
+        raise_exception attribute is set to a callable that raises an
+        exception.
+        """
+        user = self.build_unauthorized_user()
+        req = self.build_request(user=user, path=self.view_url)
+
+        def func(request):
+            raise Http404
+
+        with self.assertRaises(Http404):
+            self.dispatch_view(req, raise_exception=func)
+
     def test_custom_login_url(self):
         """
         Login url should be customizable.
@@ -128,6 +198,22 @@ def test_overridden_login_url(self):
         self.assertRedirects(resp, u'/auth/login/?next={0}'.format(
             self.view_url))
 
+    def test_redirect_unauthenticated(self):
+        resp = self.dispatch_view(
+                self.build_request(path=self.view_url),
+                raise_exception=True,
+                redirect_unauthenticated_users=True)
+        assert resp.status_code == 302
+        assert resp['Location'] == '/accounts/login/?next={0}'.format(
+            self.view_url)
+
+    def test_redirect_unauthenticated_false(self):
+        with self.assertRaises(PermissionDenied):
+            self.dispatch_view(
+                self.build_request(path=self.view_url),
+                raise_exception=True,
+                redirect_unauthenticated_users=False)
+
 
 class TestLoginRequiredMixin(TestViewHelper, test.TestCase):
     """