From 9f6def272f74c6551ba2d2afee7d60d06c68e704 Mon Sep 17 00:00:00 2001 From: Doug Blank Date: Thu, 7 Jun 2012 00:49:02 +0000 Subject: [PATCH] Working on data security; private, living svn: r19780 --- src/data/templates/view_family_detail.html | 8 ++++ src/data/templates/view_name_detail.html | 2 +- src/data/templates/view_person_detail.html | 2 +- src/webapp/grampsdb/models.py | 5 +-- src/webapp/grampsdb/views.py | 28 ++++++++++-- src/webapp/utils.py | 51 ++++++++++++---------- 6 files changed, 62 insertions(+), 34 deletions(-) diff --git a/src/data/templates/view_family_detail.html b/src/data/templates/view_family_detail.html index e55ca6e26..37b882ad8 100644 --- a/src/data/templates/view_family_detail.html +++ b/src/data/templates/view_family_detail.html @@ -35,9 +35,17 @@ Name: +{% if user.is_authenticated or father.probably_alive %} {% render familyform.father user action %} +{% else %} + {{family.father|render_name:user}} +{% endif %} Name: +{% if user.is_authenticated or mother.probably_alive %} {% render familyform.mother user action %} +{% else %} + {{family.mother|render_name:user}} +{% endif %} {% if user.is_authenticated or not familyform.father.probably_alive %} diff --git a/src/data/templates/view_name_detail.html b/src/data/templates/view_name_detail.html index d0b85277b..2021847ef 100644 --- a/src/data/templates/view_name_detail.html +++ b/src/data/templates/view_name_detail.html @@ -40,7 +40,7 @@ {{surnameform.surname.label}}: - {% render surnameform.surname user action False "" "get_focus" %} + {% render surnameform.surname user action "get_focus" %} {{surnameform.prefix.label}}: {% render surnameform.prefix user action %} diff --git a/src/data/templates/view_person_detail.html b/src/data/templates/view_person_detail.html index 8b00b95e3..8bfbb3632 100644 --- a/src/data/templates/view_person_detail.html +++ b/src/data/templates/view_person_detail.html @@ -39,7 +39,7 @@ {{nameform.title.label}}: - {% render nameform.title user action False "" "get_focus" %} + {% render nameform.title user action "get_focus" %} {{nameform.nick.label}}: {% render nameform.nick user action %} {{nameform.call.label}}: diff --git a/src/webapp/grampsdb/models.py b/src/webapp/grampsdb/models.py index 9464b2f14..2df8d671b 100644 --- a/src/webapp/grampsdb/models.py +++ b/src/webapp/grampsdb/models.py @@ -27,8 +27,6 @@ is loaded by the fixtures/initial_data.json, which is created by init.py. """ -_DEBUG = True - from django.db import models from django.contrib.contenttypes.models import ContentType from django.contrib.contenttypes import generic @@ -55,8 +53,6 @@ def get_type(the_type, data, get_or_create=False): elif data[0] == the_type._CUSTOM or get_or_create: (obj, new) = the_type.objects.get_or_create(val=data[0], name=data[1]) - if new and _DEBUG: - print "DEBUG: Made new type:", the_type, data return obj else: return the_type.objects.get(val=data[0]) @@ -690,6 +686,7 @@ class Name(DateObject, SecondaryObject): self._sanitized = True if self.person.probably_alive: self.first_name = "[Living]" + self.nick = "" self.call = "" self.group_as = "" self.title = "" diff --git a/src/webapp/grampsdb/views.py b/src/webapp/grampsdb/views.py index 09c5d0788..2cacb4826 100644 --- a/src/webapp/grampsdb/views.py +++ b/src/webapp/grampsdb/views.py @@ -266,6 +266,7 @@ def view_list(request, view): Q(place__title__icontains=search)) & private ) \ + .distinct() \ .order_by("gramps_id") else: object_list = Event.objects.filter(private).order_by("gramps_id") @@ -283,6 +284,7 @@ def view_list(request, view): .filter((Q(father__name__surname__surname__istartswith=surname) & Q(mother__name__surname__surname__istartswith=surname)) ) \ + .distinct() \ .order_by("gramps_id") else: # no comma object_list = Family.objects \ @@ -291,6 +293,7 @@ def view_list(request, view): Q(father__name__surname__surname__istartswith=search) | Q(mother__name__surname__surname__istartswith=search) ) \ + .distinct() \ .order_by("gramps_id") else: # no search object_list = Family.objects.all().order_by("gramps_id") @@ -311,6 +314,7 @@ def view_list(request, view): Q(mother__private=False) & Q(father__private=False) ) \ + .distinct() \ .order_by("gramps_id") else: object_list = Family.objects \ @@ -318,6 +322,7 @@ def view_list(request, view): Q(mother__private=False) & Q(father__private=False) ) \ + .distinct() \ .order_by("gramps_id") view_template = 'view_families.html' total = Family.objects.all().count() @@ -334,6 +339,7 @@ def view_list(request, view): .filter(Q(gramps_id__icontains=search) & private ) \ + .distinct() \ .order_by("gramps_id") else: object_list = Media.objects.filter(private).order_by("gramps_id") @@ -354,6 +360,7 @@ def view_list(request, view): Q(text__icontains=search)) & private ) \ + .distinct() \ .order_by("gramps_id") else: object_list = Note.objects.filter(private).order_by("gramps_id") @@ -367,6 +374,7 @@ def view_list(request, view): query = build_person_query(request, search, protect=False) object_list = Name.objects \ .filter(query) \ + .distinct() \ .order_by("surname__surname", "first_name") else: object_list = Name.objects.all().order_by("surname__surname", "first_name") @@ -377,12 +385,14 @@ def view_list(request, view): query = build_person_query(request, search, protect=True) object_list = Name.objects \ .filter(query) \ + .distinct() \ .order_by("surname__surname", "private", "person__probably_alive", "first_name") else: object_list = Name.objects \ .select_related() \ .filter(Q(private=False) & Q(person__private=False)) \ + .distinct() \ .order_by("surname__surname", "private", "person__probably_alive", "first_name") # END NON-AUTHENTICATED users view_template = 'view_people.html' @@ -402,6 +412,7 @@ def view_list(request, view): ) & private ) \ + .distinct() \ .order_by("gramps_id") else: object_list = Place.objects.filter(private).order_by("gramps_id") @@ -423,6 +434,7 @@ def view_list(request, view): ) & private ) \ + .distinct() \ .order_by("gramps_id") else: object_list = Repository.objects.filter(private).order_by("gramps_id") @@ -441,6 +453,7 @@ def view_list(request, view): .filter(Q(gramps_id__icontains=search) & private ) \ + .distinct() \ .order_by("gramps_id") else: object_list = Citation.objects.filter(private).order_by("gramps_id") @@ -459,6 +472,7 @@ def view_list(request, view): .filter(Q(gramps_id__icontains=search) & private ) \ + .distinct() \ .order_by("gramps_id") else: object_list = Source.objects.filter(private).order_by("gramps_id") @@ -470,6 +484,7 @@ def view_list(request, view): search = request.GET.get("search") object_list = Tag.objects \ .filter(Q(name__icontains=search)) \ + .distinct() \ .order_by("name") else: object_list = Tag.objects.order_by("name") @@ -482,10 +497,12 @@ def view_list(request, view): if request.user.is_superuser: object_list = Report.objects \ .filter(Q(name__icontains=search)) \ + .distinct() \ .order_by("name") else: object_list = Report.objects \ .filter(Q(name__icontains=search) & ~Q(report_type="import")) \ + .distinct() \ .order_by("name") else: if request.user.is_superuser: @@ -682,15 +699,18 @@ def build_person_query(request, search, protect): query = Q() if protect: query &= (Q(private=False) & Q(person__private=False)) - terms = ["surname", "given"] - else: terms = ["surname"] + else: + terms = ["surname", "given"] for term in [term.strip() for term in search.split(",")]: if "=" in term: field, value = [s.strip() for s in term.split("=")] else: - field = terms.pop(0) - value = term + if terms: + field = terms.pop(0) + value = term + else: + continue if "." in field and not protect: query &= Q(**{field.replace(".", "__"): value}) elif field == "surname": diff --git a/src/webapp/utils.py b/src/webapp/utils.py index fe5e4b9fd..59da6da1e 100644 --- a/src/webapp/utils.py +++ b/src/webapp/utils.py @@ -76,6 +76,7 @@ util_filters = [ util_tags = [ 'render', + 'render_name', "get_person_from_handle", "event_table", "name_table", @@ -821,17 +822,21 @@ def children_table(obj, user, action, url=None, *args): date_as_text(child.birth, user), ) links.append(('URL', ("/person/%s" % child.handle))) + count += 1 else: table.row(str(count), "[%s]" % child.gramps_id, - render_name(child, user), - child.gender_type, + render_name(child, user) if not child.private else "[Private]", + child.gender_type if not child.private else "[Private]", "[Private]", "[Private]", "[Private]", ) - links.append(('URL', ("/person/%s" % child.handle))) - count += 1 + if not child.private: + links.append(('URL', ("/person/%s" % child.handle))) + else: + links.append((None, None)) + count += 1 table.links(links) retval += table.get_html() if user.is_superuser and url and action == "view": @@ -872,30 +877,28 @@ def display_date(obj): else: return "" -def render(formfield, user, action, test=False, truetext="", id=None): +def render(formfield, user, action, id=None): if not user.is_authenticated(): action = "view" if action == "view": # show as text - if (not user.is_authenticated() and not test) or user.is_authenticated(): - fieldname = formfield.name # 'surname' + fieldname = formfield.name # 'surname' + try: + item = getattr(formfield.form.model, fieldname) + if (item.__class__.__name__ == 'ManyRelatedManager'): + retval = ", ".join([i.get_link() for i in item.all()]) + else: + retval = str(item) + #### Some cleanup: + if retval == "True": + retval = "Yes" + elif retval == "False": + retval = "No" + except: + # name, "prefix" try: - item = getattr(formfield.form.model, fieldname) - if (item.__class__.__name__ == 'ManyRelatedManager'): - retval = ", ".join([i.get_link() for i in item.all()]) - else: - retval = str(item) - if retval == "True": - retval = "Yes" - elif retval == "False": - retval = "No" + retval = str(formfield.form.data[fieldname]) except: - # name, "prefix" - try: - retval = str(formfield.form.data[fieldname]) - except: - retval = "[None]" - else: - retval = truetext + retval = "[None]" else: # show as widget if id != None: retval = formfield.as_widget(attrs={"id": id}) @@ -903,7 +906,7 @@ def render(formfield, user, action, test=False, truetext="", id=None): retval = formfield.as_widget() return retval -def render_name(name, user): +def render_name(name, user, action=None): """ Given a Django or Gramps object, render the name and return. This function uses authentication, privacy and probably_alive settings.