source: WAeUP_SRP/trunk/skins/waeup_student/lecturer_course_edit.py @ 3905

Last change on this file since 3905 was 3820, checked in by Henrik Bettermann, 16 years ago

improve security setting for lecturer course editing

File size: 3.3 KB
Line 
1## Script (Python) "lecturer_course_edit"
2##bind container=container
3##bind context=context
4##bind namespace=
5##bind script=script
6##bind subpath=traverse_subpath
7##parameters=REQUEST, cpsdocument_edit_button=None, cpsdocument_edit_and_view_button=None, action=None
8##title=
9# $Id: course_edit.py 1071 2006-12-16 15:53:13Z joachim $
10"""
11"""
12try:
13    from Products.zdb import set_trace
14except:
15    def set_trace():
16        pass
17from urllib import urlencode
18from Products.CPSDocument.utils import getFormUidUrlArg
19from Products.AdvancedQuery import Eq, Between, Le,In
20import DateTime
21current = DateTime.DateTime()
22import logging
23logger = logging.getLogger('Skins.lecturer_course_edit')
24wf = context.portal_workflow
25request = REQUEST
26edit = "edit" in request.form.keys()
27mtool = context.portal_membership
28member = mtool.getAuthenticatedMember()
29groups = member.getGroups()
30
31member_id = str(member)
32requested_id = context.getStudentId()
33if not 'Lecturers' in groups and not context.isSectionOfficer():
34    logger.info('%s tried to access course result of %s but is not a lecturer' % (member_id,requested_id))
35    return REQUEST.RESPONSE.redirect("%s/srp_anonymous_view" % context.portal_url())
36
37student_id = requested_id
38
39level_id = context.getId()
40course_id = traverse_subpath[0]
41query = Eq('student_id',student_id) &\
42        Eq('level_id', level_id) &\
43        Eq('code', course_id)
44
45course_results = context.course_results.evalAdvancedQuery(query)
46mode = 'edit'
47object = {}
48course_result = course_results[0]
49course = context.courses_catalog(code=course_id)[0]
50lecturer_id = getattr(course,'lecturer',None)
51#set_trace()
52if str(lecturer_id) != member_id and not context.isSectionOfficer():
53    logger.info('%s tried to access course result %s of %s but is not a lecturer of this course' % (member_id,course_id,requested_id))
54    return REQUEST.RESPONSE.redirect("%s/srp_anonymous_view" % context.portal_url())
55
56for field in context.course_results.schema():
57    object[field] = getattr(course_result,field,None)
58    if repr(object[field]) == 'Missing.Value':
59        object[field] = None
60     
61lt = context.portal_layouts
62res,psm, ds = lt.renderLayout(schema_id = 'student_course_result',
63                               layout_id = 'student_course_result',
64                               layout_mode = mode,
65                               context=context,
66                               mapping=edit and REQUEST,
67                               ob=object,
68                               commit = False)
69
70while True:
71    if psm == 'invalid':
72        psm = "Please correct your input"
73        break
74    elif psm == '':
75        break
76    if edit:
77        data = {}
78        dm = ds.getDataModel()
79        for field in context.course_results.schema():
80            if dm.has_key("%s" % field):
81                data[field] = dm.get(field)
82        data['key'] = object['key']
83        context.course_results.modifyRecord(**data)
84        logger.info('%s edited course result %s of %s' % (member_id,course_id,student_id))
85        psm = 'psm_content_changed'
86        break
87return context.lecturer_course_edit_form(rendered = res,
88                                psm = psm,
89                                mode = mode,
90                                ds = ds,
91                               )
Note: See TracBrowser for help on using the repository browser.