Source code for lotus.views.preview
from django.conf import settings
from django.views.generic.base import RedirectView
from django.urls import reverse_lazy
from django.http import (
HttpResponse, HttpResponseRedirect,
HttpResponseBadRequest, HttpResponseForbidden,
)
from ..responses import HttpResponseUnauthorized
[docs]
class PreviewTogglerView(RedirectView):
"""
Toggle preview mode in user session.
The redirection url can not be one of the preview toggler url, this is to avoid
malicious redirection loop.
Only authenticated admin user is allowed to use this view and an URL
argument "next" is required to be given and not relative (not starting with ``/``)
else it is assumed as a bad operation.
"""
permanent = False
disable_url = reverse_lazy("lotus:preview-disable")
enable_url = reverse_lazy("lotus:preview-enable")
mode = "enable"
[docs]
def get_redirect_url(self, *args, **kwargs):
"""
Return the URL redirect to. Keyword arguments from the URL pattern
match generating the redirect request are provided as kwargs to this
method.
"""
url = self.request.GET.get("next", "")
if not url:
return HttpResponseBadRequest("URL argument 'next' is required.")
elif not url.startswith("/"):
return HttpResponseBadRequest(
"Relative URL for redirection is not allowed."
)
elif url in (self.disable_url, self.enable_url):
return HttpResponseBadRequest(
"You can not redirect to the preview toggler URL."
)
return url
def set_preview_mode(self, request, mode):
if mode == "enable":
request.session[settings.LOTUS_PREVIEW_KEYWORD] = True
elif mode == "disable":
request.session[settings.LOTUS_PREVIEW_KEYWORD] = False
def get(self, request, *args, **kwargs):
# Anonymous are not allowed here
if not request.user.is_authenticated:
return HttpResponseUnauthorized("You are not allowed to be here.")
# Non staff use are forbidden here
elif not request.user.is_staff:
return HttpResponseForbidden(
"You don't have permission level to use this view."
)
# Get redirection URL and validate it
url = self.get_redirect_url(*args, **kwargs)
if isinstance(url, HttpResponse):
return url
# Switch preview mode in session depending given 'mode' attribute
self.set_preview_mode(request, self.mode)
return HttpResponseRedirect(url)