From afc7f080543021b99cf7bae95a5c6fd83a20f870 Mon Sep 17 00:00:00 2001
From: Francesco Filicetti <francesco.filicetti@unical.it>
Date: Tue, 31 Dec 2024 10:43:17 +0100
Subject: [PATCH] fix: webpath access level in handlers

---
 src/cms/contexts/handlers.py |  2 +-
 src/cms/contexts/views.py    | 42 ++++++++++++++++++++++++++----------
 2 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/src/cms/contexts/handlers.py b/src/cms/contexts/handlers.py
index f552fa79..4375e12b 100644
--- a/src/cms/contexts/handlers.py
+++ b/src/cms/contexts/handlers.py
@@ -6,7 +6,7 @@ class BaseContentHandler(object):
     template = "default_template.html"
 
     def __init__(self, path:str,
-                 webpath:WebPath = None,
+                 webpath:str = None,
                  template_fname:str = None,
                  **kwargs
             ): # pragma: no cover
diff --git a/src/cms/contexts/views.py b/src/cms/contexts/views.py
index 798c9bd3..f1af190c 100644
--- a/src/cms/contexts/views.py
+++ b/src/cms/contexts/views.py
@@ -37,6 +37,7 @@
                                     app_settings.SITEMAP_WEBPATHS_PRIORITY)
 ROBOTS_SETTINGS = getattr(settings, 'ROBOTS_SETTINGS', app_settings.ROBOTS_SETTINGS)
 
+
 def _get_site_from_host(request):
     requested_site = re.match(r'^[a-zA-Z0-9\.\-\_]*',
                               request.get_host()).group()
@@ -47,6 +48,20 @@ def _get_site_from_host(request):
     return website
 
 
+def _access_level_redirect(request, webpath):
+    # access level
+    access_level = webpath.get_access_level()
+    if access_level == '0':
+        return False
+    elif not request.user.is_authenticated:
+        return f"//{settings.MAIN_DOMAIN}{settings.LOGIN_URL}?next={request.build_absolute_uri()}"
+    elif access_level == '2' or request.user.is_superuser:
+        return False
+    elif getattr(request.user, access_level, None):
+        return False
+    raise PermissionDenied
+
+
 @unicms_cache
 def cms_dispatch(request):
 
@@ -63,6 +78,16 @@ def cms_dispatch(request):
             logger.debug(f'{_msg_head} - {cls}: {v} -> UNMATCH with {path}')
             continue
 
+        base_path = append_slash(match.get('webpath', '/'))
+        webpath = get_object_or_404(WebPath,
+                                    site=website,
+                                    fullpath=base_path,
+                                    is_active=True)
+
+        redirect_url = _access_level_redirect(request, webpath)
+        if redirect_url:
+            return redirect(redirect_url)
+
         query = match.groupdict()
         params = {'request': request,
                   'website': website,
@@ -105,17 +130,12 @@ def cms_dispatch(request):
         # 'menus': page.get_menus()
     }
 
-    # access level
-    access_level = webpath.get_access_level()
-    if access_level == '0':
-        return render(request, page.base_template.template_file, context)
-    elif not request.user.is_authenticated:
-        return redirect(f"//{settings.MAIN_DOMAIN}{settings.LOGIN_URL}?next=//{website.domain}{webpath.get_full_path()}")
-    elif access_level == '2' or request.user.is_superuser:
-        return render(request, page.base_template.template_file, context)
-    elif getattr(request.user, access_level, None):
-        return render(request, page.base_template.template_file, context)
-    raise PermissionDenied
+    redirect_url = _access_level_redirect(request, webpath)
+    if redirect_url:
+        return redirect(redirect_url)
+
+    return render(request, page.base_template.template_file, context)
+
 
 
 @staff_member_required