From c71113d07d1a26bfd9988501c4d6cef640c3a9f9 Mon Sep 17 00:00:00 2001
From: Ricky Zhou <ricky@fedoraproject.org>
Date: Fri, 7 Sep 2007 21:13:18 -0700
Subject: [PATCH] Require special privileges (controlled by canViewGroup) to
 view groups matched by privileged_view_groups in app.cfg (ex. ^cla_.*).

---
 fas/fas/auth.py                   | 16 ++++++++++
 fas/fas/config/app.cfg            |  2 ++
 fas/fas/group.py                  | 52 +++++++++++++++++++------------
 fas/fas/templates/group/list.html |  3 ++
 4 files changed, 53 insertions(+), 20 deletions(-)

diff --git a/fas/fas/auth.py b/fas/fas/auth.py
index ed551d1..13241e6 100644
--- a/fas/fas/auth.py
+++ b/fas/fas/auth.py
@@ -5,6 +5,8 @@ from fas.fasLDAP import Person
 from fas.fasLDAP import Groups
 from fas.fasLDAP import UserGroup
 
+import re
+
 ADMINGROUP = config.get('admingroup')
 
 def isAdmin(userName, g=None):
@@ -79,6 +81,20 @@ def canEditGroup(userName, groupName, g=None):
     else:
         return False
 
+def canViewGroup(userName, groupName, g=None):
+    # If the group matched by privileged_view_groups, then
+    # only people that can admin the group can view it
+    privilegedViewGroups = config.get('privileged_view_groups')
+    if re.compile(privilegedViewGroups).match(groupName):
+        if not g:
+            g = Groups.byUserName(userName)
+        if canAdminGroup(userName, groupName):
+            return True
+        else:
+            return False
+    else:
+        return True
+
 def canApplyGroup(userName, groupName, applyUserName, g=None):
     # This is where we could make groups depend on other ones.
     if not g:
diff --git a/fas/fas/config/app.cfg b/fas/fas/config/app.cfg
index 86dc1a2..4dbed6b 100644
--- a/fas/fas/config/app.cfg
+++ b/fas/fas/config/app.cfg
@@ -130,6 +130,8 @@ identity.provider='safas2'
 
 # identity.soprovider.encryption_algorithm=None
 
+privileged_view_groups = "(^cla_.*)"
+
 # compress the data sends to the web browser
 # [/] 
 # gzip_filter.on = True
diff --git a/fas/fas/group.py b/fas/fas/group.py
index 7dfaa56..aa6c1dd 100644
--- a/fas/fas/group.py
+++ b/fas/fas/group.py
@@ -83,24 +83,30 @@ class Group(controllers.Controller):
     @identity.require(turbogears.identity.not_anonymous())
     def view(self, groupName):
         '''View group'''
-        groups = Groups.byGroupName(groupName, includeUnapproved=True)
-        group = Groups.groups(groupName)[groupName]
         userName = turbogears.identity.current.user_name
-        try:
-            myStatus = groups[userName].fedoraRoleStatus
-        except KeyError:
-            # Not in group
-            myStatus = 'Not a Member' # This _has_ to stay 'Not a Member'
-        except TypeError:
-            groups = {}
-        try:
-            me = groups[userName]
-        except:
-            me = UserGroup()
-        #searchUserForm.groupName.display('group')
-        #findUser.groupName.display(value='fff')
-        value = {'groupName': groupName}
-        return dict(userName=userName, groups=groups, group=group, me=me, value=value)
+        if not canViewGroup(userName, groupName):
+            turbogears.flash(_("You cannot view '%s'") % groupName)
+            turbogears.redirect('/group/list')
+            return dict()
+        else:
+            groups = Groups.byGroupName(groupName, includeUnapproved=True)
+            group = Groups.groups(groupName)[groupName]
+            userName = turbogears.identity.current.user_name
+            try:
+                myStatus = groups[userName].fedoraRoleStatus
+            except KeyError:
+                # Not in group
+                myStatus = 'Not a Member' # This _has_ to stay 'Not a Member'
+            except TypeError:
+                groups = {}
+            try:
+                me = groups[userName]
+            except:
+                me = UserGroup()
+            #searchUserForm.groupName.display('group')
+            #findUser.groupName.display(value='fff')
+            value = {'groupName': groupName}
+            return dict(userName=userName, groups=groups, group=group, me=me, value=value)
 
     @expose(template="fas.templates.group.new")
     @identity.require(turbogears.identity.not_anonymous())
@@ -341,7 +347,13 @@ class Group(controllers.Controller):
     @error_handler(error)
     @expose(template="genshi-text:fas.templates.group.dump", format="text", content_type='text/plain; charset=utf-8')
     @identity.require(turbogears.identity.not_anonymous())
-    def dump(self, groupName=None):
-        groups = Groups.byGroupName(groupName)
-        return dict(groups=groups, Person=Person)
+    def dump(self, groupName):
+        userName = turbogears.identity.current.user_name
+        if not canViewGroup(userName, groupName):
+            turbogears.flash(_("You cannot view '%s'") % groupName)
+            turbogears.redirect('/group/list')
+            return dict()
+        else:
+            groups = Groups.byGroupName(groupName)
+            return dict(groups=groups, Person=Person)
 
diff --git a/fas/fas/templates/group/list.html b/fas/fas/templates/group/list.html
index 6252dce..419ea7b 100644
--- a/fas/fas/templates/group/list.html
+++ b/fas/fas/templates/group/list.html
@@ -7,6 +7,7 @@
     <title>Groups List</title>
   </head>
   <body>
+    <?python from fas import auth ?>
     <h2>List (${search})</h2>
     <h3>Search Groups</h3>
     <form method="get" action="${tg.url('/group/list')}">
@@ -28,6 +29,7 @@
       </thead>
       <tbody>
         <tr py:for="group in sorted(groups.keys())">
+        <div py:if="auth.canViewGroup(tg.identity.user.user_name, groups[group].cn)" py:strip="">
           <td><a href="${tg.url('/group/view/%s' % groups[group].cn)}">${groups[group].cn}</a></td>
           <td>${groups[group].fedoraGroupDesc}</td>
           <td>
@@ -37,6 +39,7 @@
             </a>
             <a py:if="groups[group].cn not in myGroups" href="${tg.url('/group/apply/%s/%s' % (groups[group].cn, tg.identity.user.user_name))}"><span>Apply</span></a>
           </td>
+        </div>
         </tr>
       </tbody>
     </table>