Merge pull request #3120 from hughrun/permission-required

403 handler
This commit is contained in:
Mouse Reeve 2023-11-20 10:06:24 -08:00 committed by GitHub
commit b022b5a1b7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 46 additions and 0 deletions

View file

@ -0,0 +1,20 @@
{% extends 'layout.html' %}
{% load i18n %}
{% load utilities %}
{% block title %}{% trans "Oh no!" %}{% endblock %}
{% block content %}
<div class="block">
<h1 class="title">{% trans "Permission Denied" %}</h1>
<p class="content">
{% blocktrans trimmed with level=request.user|get_user_permission %}
You do not have permission to view this page or perform this action. Your user permission level is <code>{{ level }}</code>.
{% endblocktrans %}
</p>
<p class="content">{% trans "If you think you should have access, please speak to your BookWyrm server administrator." %}
</p>
</div>
{% endblock %}

View file

@ -128,6 +128,13 @@ def id_to_username(user_id):
return value return value
@register.filter(name="get_user_permission")
def get_user_permission(user):
"""given a user, return their permission level"""
return user.groups.first() or "User"
@register.filter(name="is_instance_admin") @register.filter(name="is_instance_admin")
def is_instance_admin(localname): def is_instance_admin(localname):
"""Returns a boolean indicating whether the user is the instance admin account""" """Returns a boolean indicating whether the user is the instance admin account"""

View file

@ -792,3 +792,6 @@ urlpatterns.extend(staticfiles_urlpatterns())
# pylint: disable=invalid-name # pylint: disable=invalid-name
handler500 = "bookwyrm.views.server_error" handler500 = "bookwyrm.views.server_error"
# pylint: disable=invalid-name
handler403 = "bookwyrm.views.permission_denied"

View file

@ -167,3 +167,4 @@ from .annual_summary import (
summary_revoke_key, summary_revoke_key,
) )
from .server_error import server_error from .server_error import server_error
from .permission_denied import permission_denied

View file

@ -0,0 +1,15 @@
"""custom 403 handler to enable context processors"""
from django.http import HttpResponse
from django.template.response import TemplateResponse
from .helpers import is_api_request
def permission_denied(request, exception): # pylint: disable=unused-argument
"""permission denied page"""
if request.method == "POST" or is_api_request(request):
return HttpResponse(status=403)
return TemplateResponse(request, "403.html")