From 2b3db4b383cc644d652a8e57302b41ed76d0fa58 Mon Sep 17 00:00:00 2001
From: Andrew Williams <andy@tensixtyone.com>
Date: Sat, 9 Jul 2011 11:05:59 +0100
Subject: [PATCH] Various fixes and changes, security problems fixed, bugs
 resolved.

* Application status is now policed through APPLICATION_STATUS_ROUTES.
* Blacklisted application cannot be accepted.
* Blacklists are checked case insensitively.
* The template now shows blacklist advisories
* Applications are no longer flagged as Blacklisted unless they have a blacklist entry
---
 app/hr/app_defines.py                      | 11 +++++++++++
 app/hr/models.py                           | 23 +++++++++++-----------
 app/hr/templates/hr/applications/view.html |  2 +-
 app/hr/utils.py                            |  8 ++++----
 app/hr/views.py                            | 11 +++++++++--
 5 files changed, 37 insertions(+), 18 deletions(-)

diff --git a/app/hr/app_defines.py b/app/hr/app_defines.py
index df47cc8..1a64657 100644
--- a/app/hr/app_defines.py
+++ b/app/hr/app_defines.py
@@ -22,6 +22,17 @@ APPLICATION_STATUS_CHOICES = (
     (APPLICATION_STATUS_FLAGGED, 'Flagged For Review'),
 )
 
+# Routes that are allowed (Accept/Reject are managed seperately)
+APPLICATION_STATUS_ROUTES = {
+    APPLICATION_STATUS_NOTSUBMITTED: [APPLICATION_STATUS_AWAITINGREVIEW],
+    APPLICATION_STATUS_AWAITINGREVIEW: [APPLICATION_STATUS_NOTSUBMITTED, APPLICATION_STATUS_QUERY, APPLICATION_STATUS_FLAGGED],
+    APPLICATION_STATUS_REJECTED: [],
+    APPLICATION_STATUS_ACCEPTED: [APPLICATION_STATUS_COMPLETED],
+    APPLICATION_STATUS_QUERY: [],
+    APPLICATION_STATUS_COMPLETED: [],
+    APPLICATION_STATUS_FLAGGED: [],
+}
+
 # Audit Event Type Codes
 AUDIT_EVENT_STATUSCHANGE = 0
 AUDIT_EVENT_NOTE = 1
diff --git a/app/hr/models.py b/app/hr/models.py
index d1d5d9c..a7f507a 100644
--- a/app/hr/models.py
+++ b/app/hr/models.py
@@ -21,21 +21,26 @@ class Application(models.Model):
                                      help_text="Current status of this application request.")
     application_date = models.DateTimeField(auto_now_add=True, verbose_name="Created Date")
 
+    c = 0
+
     @models.permalink
     def get_absolute_url(self):
         return ('hr.views.view_application', [self.id])
 
     @property
     def blacklisted(self):
-        from hr.utils import blacklist_values
-        if len(self.blacklist_values) > 0:
-            return True
-        return False
+        if not hasattr(self, '_blflag'):
+            if len([x for x in self.blacklist_values if x.level == BLACKLIST_LEVEL_BLACKLIST]) > 0:
+                self._blflag = True
+            self._blflag = False
+        return self._blflag
 
     @property
     def blacklist_values(self):
-        from hr.utils import blacklist_values
-        return blacklist_values(self.user)
+        if not hasattr(self, '_blcache'):
+            from hr.utils import blacklist_values
+            self._blcache = blacklist_values(self.user)
+        return self._blcache
 
     @property
     def last_action(self):
@@ -51,11 +56,7 @@ class Application(models.Model):
 
     def save(self, *args, **kwargs):
 
-        user = None
-        if 'user' in kwargs:
-            user = kwargs['user']
-            del kwargs['user']
-
+        user = kwargs.pop('user', None)
         try:
             old_instance = Application.objects.get(id=self.id)
             if not (old_instance.status == int(self.status)):
diff --git a/app/hr/templates/hr/applications/view.html b/app/hr/templates/hr/applications/view.html
index 952b465..3d2f3fe 100644
--- a/app/hr/templates/hr/applications/view.html
+++ b/app/hr/templates/hr/applications/view.html
@@ -67,7 +67,7 @@
 {% endif %}
 
 {% if hrstaff %}
-{% if app.blacklisted %}
+{% if app.blacklist_values %}
 <h3>Blacklist Triggers</h3>
 <table>
 <tr><th>Blacklist Type</th><th>Blacklisted Value</th><th>Level</th><th>Reason</th><th>Source</th></tr>
diff --git a/app/hr/utils.py b/app/hr/utils.py
index 41d8c51..3607f01 100644
--- a/app/hr/utils.py
+++ b/app/hr/utils.py
@@ -40,21 +40,21 @@ def blacklist_values(user):
     blacklist.extend(bl_items.filter(type=BLACKLIST_TYPE_AUTH, value=user.username.lower()))
 
     # Check EVE Related blacklists
-    evechars = EVEPlayerCharacter.objects.filter(eveaccount__user=user).select_related('corporation__alliance')
+    evechars = EVEPlayerCharacter.objects.filter(eveaccount__user=user).select_related('corporation', 'corporation__alliance')
 
     # Check Character blacklists
     characters = evechars.values_list('name', flat=True)
-    objs = bl_items.filter(type=BLACKLIST_TYPE_CHARACTER, value__in=characters)
+    objs = bl_items.filter(type=BLACKLIST_TYPE_CHARACTER, value__iregex=r'(' + '|'.join(characters) + ')')
     blacklist.extend(objs)
 
     # Check Corporation blacklists
     corporations = evechars.values_list('corporation__name', flat=True)
-    objs = bl_items.filter(type=BLACKLIST_TYPE_CORPORATION, value__in=corporations)
+    objs = bl_items.filter(type=BLACKLIST_TYPE_CORPORATION, value__iregex=r'(' + '|'.join(corporations) + ')')
     blacklist.extend(objs)
 
     # Check Alliance blacklists
     alliances = evechars.values_list('corporation__alliance__name', flat=True)
-    objs = bl_items.filter(type=BLACKLIST_TYPE_ALLIANCE, value__in=alliances)
+    objs = bl_items.filter(type=BLACKLIST_TYPE_ALLIANCE, value__iregex=r'(' + '|'.join([x for x in alliances if x]) + ')')
     blacklist.extend(objs)
 
     # Check API Key blacklists
diff --git a/app/hr/views.py b/app/hr/views.py
index 570992f..7c5646b 100644
--- a/app/hr/views.py
+++ b/app/hr/views.py
@@ -187,12 +187,14 @@ def update_application(request, applicationid, status):
 
     app = get_object_or_404(Application, id=applicationid)
 
-    if not app.status in [APPLICATION_STATUS_REJECTED, APPLICATION_STATUS_COMPLETED]:
+    if int(status) in APPLICATION_STATUS_ROUTES[app.status]:
         perm = check_permissions(request.user, app)
         if perm == HR_ADMIN or (perm == HR_VIEWONLY and int(status) <= 1):
             if not app.status == status:
                 app.status = status
                 app.save(user=request.user)
+    else:
+         messages.add_message(request, messages.ERROR, "Invalid status change request")
     return HttpResponseRedirect(reverse('hr.views.view_application', args=[applicationid]))
 
 @login_required
@@ -270,6 +272,11 @@ def accept_application(request, applicationid):
 
     if check_permissions(request.user) == HR_ADMIN and request.user.has_perm('hr.can_accept'):
         app = Application.objects.get(id=applicationid)
+
+        if app.blacklisted:
+            messages.add_message(request, messages.INFO, "This application has one or more blacklist entries and cannot be accepted.")
+            return HttpResponseRedirect(reverse('hr.views.view_application', args=[applicationid]))
+
         if request.method == 'POST':
             if check_permissions(request.user, app) == HR_ADMIN:
                 obj = Audit(application=app, user=request.user, event=AUDIT_EVENT_ACCEPTED)
@@ -279,7 +286,7 @@ def accept_application(request, applicationid):
                     obj.application.status = APPLICATION_STATUS_ACCEPTED
                     obj.application.save(user=request.user)
                     send_message(obj.application, 'accepted', note=obj.text)
-                    return HttpResponseRedirect(reverse('hr.views.view_application', args=[applicationid]))
+            return HttpResponseRedirect(reverse('hr.views.view_application', args=[applicationid]))
 
         form = AdminNoteForm(application=app)
         return render_to_response('hr/applications/accept.html', locals(), context_instance=RequestContext(request))