From de1aebe401f72c9e304c6aacb43aefdcb819667a Mon Sep 17 00:00:00 2001
From: Francesco Filicetti <francesco.filicetti@unical.it>
Date: Tue, 31 Dec 2024 09:24:27 +0100
Subject: [PATCH] fix: access level control on handlers

---
 src/cms/contexts/handlers.py | 17 +++++++++++++++++
 src/cms/contexts/utils.py    |  6 +++---
 src/cms/contexts/views.py    |  1 +
 3 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/cms/contexts/handlers.py b/src/cms/contexts/handlers.py
index f552fa79..1c691232 100644
--- a/src/cms/contexts/handlers.py
+++ b/src/cms/contexts/handlers.py
@@ -1,5 +1,8 @@
+from django.conf import settings
+from django.core.exceptions import PermissionDenied
 
 from . models import WebPath
+from . views import _get_site_from_host
 
 
 class BaseContentHandler(object):
@@ -28,6 +31,20 @@ def __init__(self, path:str,
                          template.render(context)
         :return: render the HTML page
         """
+        # access level
+        website = _get_site_from_host(self.request)
+        access_level = webpath.get_access_level()
+        if access_level == '0':
+            pass
+        elif not request.user.is_authenticated:
+            return redirect(f"//{settings.MAIN_DOMAIN}{settings.LOGIN_URL}?next=//{website.domain}{webpath.get_full_path()}")
+        elif access_level == '2' or request.user.is_superuser:
+            pass
+        elif getattr(request.user, access_level, None):
+            pass
+        else:
+            raise PermissionDenied
+
         self.webpath = webpath
         self.path = path
         self.template = template_fname or self.template
diff --git a/src/cms/contexts/utils.py b/src/cms/contexts/utils.py
index a1db29dd..35d712dc 100644
--- a/src/cms/contexts/utils.py
+++ b/src/cms/contexts/utils.py
@@ -7,13 +7,13 @@
 # from django.contrib.admin.models import LogEntry, CHANGE
 from django.contrib.admin.models import CHANGE
 from django.contrib.contenttypes.models import ContentType
+from django.template.loader import get_template, render_to_string
+from django.template.exceptions import (TemplateDoesNotExist,
+                                        TemplateSyntaxError)
 from django.utils import translation
 from django.utils.module_loading import import_string
 from django.utils.translation import gettext as _
 from django.utils.safestring import mark_safe
-from django.template.loader import get_template, render_to_string
-from django.template.exceptions import (TemplateDoesNotExist,
-                                        TemplateSyntaxError)
 
 from cms.templates.models import Log
 
diff --git a/src/cms/contexts/views.py b/src/cms/contexts/views.py
index 798c9bd3..9f353384 100644
--- a/src/cms/contexts/views.py
+++ b/src/cms/contexts/views.py
@@ -37,6 +37,7 @@
                                     app_settings.SITEMAP_WEBPATHS_PRIORITY)
 ROBOTS_SETTINGS = getattr(settings, 'ROBOTS_SETTINGS', app_settings.ROBOTS_SETTINGS)
 
+
 def _get_site_from_host(request):
     requested_site = re.match(r'^[a-zA-Z0-9\.\-\_]*',
                               request.get_host()).group()