From 2c803fa889523cd9101197d8ce6a8fdc52da711f Mon Sep 17 00:00:00 2001
From: Charles Connell <charles@connells.org>
Date: Wed, 30 Apr 2014 12:22:47 -0400
Subject: [PATCH] Require authentication to set keywords, fixes #365

---
 karmaworld/apps/notes/views.py              |  5 ++++-
 karmaworld/apps/quizzes/views.py            |  4 ++++
 karmaworld/assets/js/note-detail.js         |  8 ++++----
 karmaworld/templates/notes/note_detail.html | 11 ++++++++---
 4 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/karmaworld/apps/notes/views.py b/karmaworld/apps/notes/views.py
index d1db236..97e8843 100644
--- a/karmaworld/apps/notes/views.py
+++ b/karmaworld/apps/notes/views.py
@@ -16,7 +16,7 @@ from karmaworld.apps.quizzes.models import Keyword
 from karmaworld.apps.users.models import NoteKarmaEvent
 from karmaworld.utils.ajax_utils import *
 
-from django.http import HttpResponse, HttpResponseBadRequest
+from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseForbidden
 from django.views.generic import DetailView, ListView
 from django.views.generic import FormView
 from django.views.generic import View
@@ -164,6 +164,9 @@ class NoteKeywordsView(FormView, SingleObjectMixin):
 
     def post(self, request, *args, **kwargs):
         self.object = self.get_object()
+        if not self.request.user.is_authenticated():
+            raise ValidationError("Only authenticated users may set keywords.")
+
         formset = self.form_class(request.POST)
         if formset.is_valid():
             self.keyword_form_valid(formset)
diff --git a/karmaworld/apps/quizzes/views.py b/karmaworld/apps/quizzes/views.py
index 0379a07..62b0b39 100644
--- a/karmaworld/apps/quizzes/views.py
+++ b/karmaworld/apps/quizzes/views.py
@@ -150,6 +150,10 @@ def process_set_delete_keyword(request):
     definition = annotator_data['text']
     ranges = json.dumps(annotator_data['ranges'])
 
+    if not request.user.is_authenticated():
+        return HttpResponseForbidden(json.dumps({'status': 'fail', 'message': "Only authenticated users may set keywords"}),
+                                     mimetype="application/json")
+
     try:
         if request.method in ('POST', 'PUT'):
             set_keyword(annotation_uri, keyword, definition, ranges)
diff --git a/karmaworld/assets/js/note-detail.js b/karmaworld/assets/js/note-detail.js
index 4fa08b7..81f2b96 100644
--- a/karmaworld/assets/js/note-detail.js
+++ b/karmaworld/assets/js/note-detail.js
@@ -55,8 +55,8 @@ function writeNoteFrame(contents) {
   dstDoc.close();
 }
 
-function setupAnnotator(noteElement) {
-  noteElement.annotator();
+function setupAnnotator(noteElement, readOnly) {
+  noteElement.annotator({readOnly: readOnly});
   noteElement.annotator('addPlugin', 'Store', {
     prefix: '/ajax/annotations',
     loadFromSearch: {
@@ -218,7 +218,7 @@ function initNoteContentPage() {
   if ($('#note-markdown').length > 0) {
     var note_markdown = $('#note-markdown');
     note_markdown.html(marked(note_markdown.data('markdown')));
-    setupAnnotator(note_markdown);
+    setupAnnotator(note_markdown, !user_authenticated);
   } else {
     $.ajax(note_contents_url, {
       type: 'GET',
@@ -247,7 +247,7 @@ function initNoteContentPage() {
                   if ($('#page-container').length > 0) { \
                     document_selector = $('#page-container'); \
                   } \
-                  document_selector.annotator(); \
+                  document_selector.annotator({readOnly: " + !user_authenticated + "}); \
                   document_selector.annotator('addPlugin', 'Store', { \
                     prefix: '/ajax/annotations', \
                     loadFromSearch: { \
diff --git a/karmaworld/templates/notes/note_detail.html b/karmaworld/templates/notes/note_detail.html
index 186a631..0cb7f8a 100644
--- a/karmaworld/templates/notes/note_detail.html
+++ b/karmaworld/templates/notes/note_detail.html
@@ -27,6 +27,7 @@
     var annotator_css_url = "{{ STATIC_URL }}css/annotator.min.css";
     var setup_ajax_url = "{{ STATIC_URL }}js/setup-ajax.js";
     var note_edit_url = "{% url 'edit_note' note.id %}";
+    var user_authenticated = {% if user.is_authenticated %}true{% else %}false{% endif %};
   </script>
   {% compress js %}
     <script src="{{ STATIC_URL }}js/setup-ajax.js"></script>
@@ -280,9 +281,13 @@
           <div id="keywords" class="content">
             <div class="row">
               <div class="small-12 columns">
-                <p id="keyword-intro">These key terms and definitions have been defined by KarmaNotes users.
-                You can edit them for accuracy and add more if you like.</p>
-                <p><button id="edit-keywords-button" class="museo700"><i class="fa fa-edit"></i> Edit Key Terms & Definitions</button></p>
+                {% if user.is_authenticated %}
+                  <p id="keyword-intro">These key terms and definitions have been defined by KarmaNotes users.
+                  You can edit them for accuracy and add more if you like.</p>
+                  <p><button id="edit-keywords-button" class="museo700"><i class="fa fa-edit"></i> Edit Key Terms & Definitions</button></p>
+                {% else %}
+                  <p id="keyword-intro">These key terms and definitions have been defined by KarmaNotes users.</p>
+                {% endif %}
                 <table id="keywords-data-table">
                   <thead>
                     <tr>
-- 
2.25.1