"""
crate_anon/crateweb/core/middleware.py
===============================================================================
Copyright (C) 2015, University of Cambridge, Department of Psychiatry.
Created by Rudolf Cardinal (rnc1001@cam.ac.uk).
This file is part of CRATE.
CRATE is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
CRATE is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with CRATE. If not, see <https://www.gnu.org/licenses/>.
===============================================================================
**Middleware.**
"""
from django.core.exceptions import ImproperlyConfigured
from django.http import HttpResponse, HttpResponseForbidden, HttpRequest
from django.urls import reverse
from django.utils.deprecation import MiddlewareMixin
from crate_anon.crateweb.config.constants import AdminSiteNames
from crate_anon.crateweb.core.utils import is_developer
# =============================================================================
# RestrictAdminMiddleware
# =============================================================================
# See https://djangosnippets.org/snippets/2227/
[docs]class RestrictAdminMiddleware(MiddlewareMixin):
"""
A middleware that restricts the different admin sites depending on user
privileges.
"""
@staticmethod
def process_request(request: HttpRequest) -> HttpResponse:
if not hasattr(request, "user"):
raise ImproperlyConfigured(
"Authentication middleware required. Edit your"
" MIDDLEWARE_CLASSES setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RestrictDevAdminMiddleware class."
)
if request.path.startswith(
reverse(f"{AdminSiteNames.DEVADMIN}:index")
):
if not is_developer(request.user):
return HttpResponseForbidden(
"Non-developers cannot access the devadmin"
)
if request.path.startswith(
reverse(f"{AdminSiteNames.MGRADMIN}:index")
):
if not request.user.is_superuser:
return HttpResponseForbidden(
"Non-superusers cannot access the mgradmin"
)
# Django requires the staff flag for any admin.