Merge pull request #3120 from hughrun/permission-required

403 handler
2024-05-20 17:28:55 +00:00 · 2023-11-20 10:06:24 -08:00 · 2023-11-20 10:06:24 -08:00 · b022b5a1b7
parent 3d9f339bd5 1d5cc83347
commit b022b5a1b7
5 changed files with 46 additions and 0 deletions
--- a/bookwyrm/templates/403.html
+++ b/bookwyrm/templates/403.html
@ -0,0 +1,20 @@
+{% extends 'layout.html' %}
+{% load i18n %}
+{% load utilities %}
+
+{% block title %}{% trans "Oh no!" %}{% endblock %}
+
+{% block content %}
+<div class="block">
+    <h1 class="title">{% trans "Permission Denied" %}</h1>
+    <p class="content">
+        {% blocktrans trimmed with level=request.user|get_user_permission %}
+        You do not have permission to view this page or perform this action. Your user permission level is <code>{{ level }}</code>.
+        {% endblocktrans %}
+    </p>
+    <p class="content">{% trans "If you think you should have access, please speak to your BookWyrm server administrator." %}
+    </p>
+
+</div>
+{% endblock %}
+
--- a/bookwyrm/templatetags/utilities.py
+++ b/bookwyrm/templatetags/utilities.py
@ -128,6 +128,13 @@ def id_to_username(user_id):
    return value


+@register.filter(name="get_user_permission")
+def get_user_permission(user):
+    """given a user, return their permission level"""
+
+    return user.groups.first() or "User"
+
+
@register.filter(name="is_instance_admin")
 def is_instance_admin(localname):
    """Returns a boolean indicating whether the user is the instance admin account"""
--- a/bookwyrm/urls.py
+++ b/bookwyrm/urls.py
@ -792,3 +792,6 @@ urlpatterns.extend(staticfiles_urlpatterns())

 # pylint: disable=invalid-name
 handler500 = "bookwyrm.views.server_error"
+
+# pylint: disable=invalid-name
+handler403 = "bookwyrm.views.permission_denied"
--- a/bookwyrm/views/init.py
+++ b/bookwyrm/views/init.py
@ -167,3 +167,4 @@ from .annual_summary import (
    summary_revoke_key,
 )
 from .server_error import server_error
+from .permission_denied import permission_denied
--- a/bookwyrm/views/permission_denied.py
+++ b/bookwyrm/views/permission_denied.py
@ -0,0 +1,15 @@
+"""custom 403 handler to enable context processors"""
+
+from django.http import HttpResponse
+from django.template.response import TemplateResponse
+
+from .helpers import is_api_request
+
+
+def permission_denied(request, exception):  # pylint: disable=unused-argument
+    """permission denied page"""
+
+    if request.method == "POST" or is_api_request(request):
+        return HttpResponse(status=403)
+
+    return TemplateResponse(request, "403.html")