allow filter to manage access

the "answer_filter" should limit the scope of answers the user can see.
(just answers for books the user has permission to manage) so the
questionnaire.export permission is only needed for users who need to
see answers for all books.
pull/1/head
eric 2016-10-18 23:07:58 -04:00
parent 670e13f738
commit 53d98aff21
1 changed files with 7 additions and 3 deletions

View File

@ -13,7 +13,7 @@ from django.http import HttpResponse, HttpResponseRedirect
from django.template import RequestContext from django.template import RequestContext
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
from django.core.cache import cache from django.core.cache import cache
from django.contrib.auth.decorators import permission_required from django.contrib.auth.decorators import login_required, permission_required
from django.shortcuts import render, render_to_response, get_object_or_404 from django.shortcuts import render, render_to_response, get_object_or_404
from django.views.generic.base import TemplateView from django.views.generic.base import TemplateView
from django.db import transaction from django.db import transaction
@ -835,7 +835,8 @@ default_extra_headings = [u'subject', u'run id']
def default_extra_entries(subject, run): def default_extra_entries(subject, run):
return ["%s/%s" % (subject.id, subject.ip_address), run.id] return ["%s/%s" % (subject.id, subject.ip_address), run.id]
@permission_required("questionnaire.export")
@login_required
def export_csv(request, qid, def export_csv(request, qid,
extra_headings=default_extra_headings, extra_headings=default_extra_headings,
extra_entries=default_extra_entries, extra_entries=default_extra_entries,
@ -848,9 +849,12 @@ def export_csv(request, qid,
qid -- questionnaire_id qid -- questionnaire_id
extra_headings -- customize the headings for extra columns, extra_headings -- customize the headings for extra columns,
extra_entries -- function returning a list of extra column entries, extra_entries -- function returning a list of extra column entries,
answer_filter -- custom filter for the answers answer_filter -- custom filter for the answers. If this is present, the filter must manage access.
filecode -- code for filename filecode -- code for filename
""" """
if answer_filter is None and not request.user.has_perm("questionnaire.export"):
return HttpResponse('Sorry, you do not have export permissions', content_type="text/plain")
fd = tempfile.TemporaryFile() fd = tempfile.TemporaryFile()
questionnaire = get_object_or_404(Questionnaire, pk=int(qid)) questionnaire = get_object_or_404(Questionnaire, pk=int(qid))