def query(self, view_kwargs):
"""
query method for speakers list class
:param view_kwargs:
:return:
"""
query_ = self.session.query(Speaker)
query_ = event_query(query_, view_kwargs)
if view_kwargs.get('user_id'):
user = safe_query_kwargs(User, view_kwargs, 'user_id')
query_ = query_.join(User).filter(User.id == user.id)
if view_kwargs.get('session_id'):
session = safe_query_kwargs(Session, view_kwargs, 'session_id')
# session-speaker :: many-to-many relationship
query_ = Speaker.query.filter(Speaker.sessions.any(id=session.id))
if is_logged_in() and not has_access('is_coorganizer',
event_id=session.event_id):
if not has_access('is_session_self_submitted',
session_id=session.id):
query_ = query_.filter(Session.state == "approved"
or Session.state == "accepted")
return query_
def before_get(self, args, kwargs):
if is_logged_in() and has_access('is_admin'):
self.schema = VideoChannelSchema
else:
self.schema = VideoChannelSchemaPublic
if kwargs.get('video_stream_id'):
stream = safe_query_kwargs(VideoStream, kwargs, 'video_stream_id')
kwargs['id'] = stream.channel_id
def before_get(self, args, kwargs):
"""
method to assign proper schema based on admin access
:param args:
:param kwargs:
:return:
"""
if is_logged_in() and has_access('is_admin'):
self.schema = TaxSchema
else:
self.schema = TaxSchemaPublic
def before_get(self, args, kwargs):
"""
method for assigning schema based on admin access
:param args:
:param kwargs:
:return:
"""
if is_logged_in() and (has_access('is_admin')
or kwargs.get('user_id')):
self.schema = EventSchema
else:
self.schema = EventSchemaPublic
def event_query(
query_,
view_kwargs,
event_id='event_id',
event_identifier='event_identifier',
permission=None,
restrict=False,
):
"""
Queries the event according to 'event_id' and 'event_identifier' and joins for the query
For draft events, a 404 is raised
If the user is not logged in or does not have required permissions, 403 is raised
For a draft event, unless the user is organizer+ or has access to the passed permission,
404 will always be raised, regardless of restrict being True or not.
For a published event, if restrict is False, the query will allowed.
If restrict is True, then the passed permission or co-organizer access will be enforced.
If the permission passes, query will be allowed, otherwise, a 403 will be thrown
:param event_id: String representing event_id in the view_kwargs
:param event_identifier: String representing event_identifier in the view_kwargs
:param query_: Query object
:param view_kwargs: view_kwargs from the API
:param permission: the name of the permission to be applied as a string. Default: is_coorganizer
:return:
"""
permission = permission or 'is_coorganizer_endpoint_related_to_event'
event = None
if view_kwargs.get(event_id):
event = safe_query_kwargs(Event, view_kwargs, event_id)
elif view_kwargs.get(event_identifier):
event = safe_query_kwargs(Event, view_kwargs, event_identifier,
'identifier')
if event:
forbidden = not is_logged_in() or not has_access(permission,
event_id=event.id)
if event.state != 'published' and forbidden:
raise ObjectNotFound(
{'parameter': event_id},
f"Event: {event.id} not found",
)
if restrict and forbidden:
raise ForbiddenError(
{'parameter': event_id},
f"You don't have access to event {event.id}",
)
query_ = query_.join(Event).filter(Event.id == event.id)
return query_
def after_get_object(self, session, view_kwargs):
if not session:
return
is_speaker_or_admin = is_logged_in() and has_access(
'is_speaker_for_session', id=session.id)
if current_user:
speaker_invite = SpeakerInvite.query.filter_by(
email=current_user.email,
session_id=session.id,
status='pending').first()
if (session.state not in ['accepted', 'confirmed']
and not is_speaker_or_admin and not speaker_invite):
raise ObjectNotFound({'parameter': '{id}'}, "Session: not found")
def before_get(self, args, kwargs):
"""
method for assigning schema based on access
:param args:
:param kwargs:
:return:
"""
kwargs = get_id(kwargs)
if is_logged_in() and has_access('is_coorganizer',
event_id=kwargs['id']):
self.schema = EventSchema
else:
self.schema = EventSchemaPublic
def query(self, view_kwargs):
"""
query method for resource list
:param view_kwargs:
:return:
"""
if is_logged_in():
verify_jwt_in_request()
if current_user.is_super_admin or current_user.is_admin:
query_ = self.session.query(Ticket)
elif view_kwargs.get('event_id') and has_access(
'is_organizer', event_id=view_kwargs['event_id']):
query_ = self.session.query(Ticket)
else:
query_ = self.session.query(Ticket).filter_by(is_hidden=False)
else:
query_ = self.session.query(Ticket).filter_by(is_hidden=False)
if view_kwargs.get('ticket_tag_id'):
ticket_tag = safe_query_kwargs(TicketTag, view_kwargs,
'ticket_tag_id')
query_ = query_.join(ticket_tags_table).filter_by(
ticket_tag_id=ticket_tag.id)
query_ = event_query(query_, view_kwargs)
if view_kwargs.get('access_code_id'):
access_code = safe_query_kwargs(AccessCode, view_kwargs,
'access_code_id')
# access_code - ticket :: many-to-many relationship
query_ = Ticket.query.filter(
Ticket.access_codes.any(id=access_code.id))
if view_kwargs.get('discount_code_id'):
discount_code = safe_query_kwargs(
DiscountCode,
view_kwargs,
'discount_code_id',
)
# discount_code - ticket :: many-to-many relationship
query_ = Ticket.query.filter(
Ticket.discount_codes.any(id=discount_code.id))
if view_kwargs.get('order_identifier'):
order = safe_query_kwargs(Order, view_kwargs, 'order_identifier',
'identifier')
ticket_ids = []
for ticket in order.tickets:
ticket_ids.append(ticket.id)
query_ = query_.filter(Ticket.id.in_(tuple(ticket_ids)))
return query_
def query(self, view_kwargs):
query_ = UserFollowGroup.query
if view_kwargs.get('user_id') is not None:
user = safe_query_kwargs(User, view_kwargs, 'user_id')
if user != current_user or not is_logged_in():
raise ForbiddenError({'pointer': 'user_id'})
query_ = query_.filter_by(user_id=user.id)
elif view_kwargs.get('group_id') is not None:
group = safe_query_kwargs(Group, view_kwargs, 'group_id')
query_ = query_.filter_by(group_id=group.id)
return query_
def before_get(self, args, kwargs):
"""
before get method to get the resource id for fetching details
:param args:
:param kwargs:
:return:
"""
if 'id' in kwargs:
try:
tax = Tax.query.filter_by(id=kwargs['id']).one()
except NoResultFound:
raise ObjectNotFound({'parameter': 'id'},
f"Tax: Not found for id {id}")
if is_logged_in() and has_access('is_coorganizer',
event_id=tax.event_id):
self.schema = TaxSchema
else:
self.schema = TaxSchemaPublic
else:
if is_logged_in() and has_access('is_coorganizer',
event_id=kwargs['event_id']):
self.schema = TaxSchema
else:
self.schema = TaxSchemaPublic
def before_get(self, args, kwargs):
refresh = request.args.get('refresh')
if refresh == 'true':
refresh_settings()
kwargs['id'] = 1
if is_logged_in():
verify_jwt_in_request()
if current_user.is_admin or current_user.is_super_admin:
self.schema = SettingSchemaAdmin
else:
self.schema = SettingSchemaNonAdmin
else:
self.schema = SettingSchemaPublic
def get_event_query():
query_ = Event.query
if get_jwt_identity() is None or not current_user.is_staff:
# If user is not admin, we only show published events
query_ = query_.filter_by(state=Event.State.PUBLISHED)
if is_logged_in():
# For a specific user accessing the API, we show all
# events managed by them, even if they're not published
verify_jwt_in_request()
query2 = Event.query
query2 = (query2.join(Event.roles).filter_by(
user_id=current_user.id).join(UsersEventsRoles.role).filter(
or_(
Role.name == Role.COORGANIZER,
Role.name == Role.ORGANIZER,
Role.name == Role.OWNER,
)))
query_ = query_.union(query2)
return query_
def before_update_object(self, group, data, view_kwargs):
"""
before update object method of group details
:param group:
:param data:
:param view_kwargs:
:return:
"""
user = User.query.filter_by(id=current_user.id).one()
if not is_logged_in() or not is_owner_or_organizer(group, user):
raise ForbiddenError({'source': 'user_id'},
"Group owner or organizer access required")
for event in data.get('events', []):
if not has_access('is_owner', event_id=event):
raise ForbiddenError({'source': ''},
"Event owner access required")
if data.get('banner_url'):
start_image_resizing_tasks(group, data['banner_url'])
def before_post(self, args, kwargs, data):
"""
before post method to check for required relationship and proper permission
:param args:
:param kwargs:
:param data:
:return:
"""
require_relationship(['event'], data)
if is_logged_in():
verify_jwt_in_request()
else:
raise ForbiddenError(
{'source': ''}, 'Only Authorized Users can favourite an event'
)
data['user'] = current_user.id
user_favourite_event = find_user_favourite_event_by_id(event_id=data['event'])
if user_favourite_event:
raise ConflictError(
{'pointer': '/data/relationships/event'}, "Event already favourited"
)
def query(self, view_kwargs):
query_ = UserFavouriteSession.query
if view_kwargs.get('user_id'):
user = safe_query_kwargs(User, view_kwargs, 'user_id')
if user != current_user and not (
(is_logged_in() and has_access('is_admin'))
or user.is_profile_public):
raise ForbiddenError({'pointer': 'user_id'})
query_ = query_.filter_by(user_id=user.id)
elif view_kwargs.get('session_id'):
session = safe_query_kwargs(Session, view_kwargs, 'session_id')
query_ = query_.filter_by(session_id=session.id)
elif view_kwargs.get('event_id'):
event = safe_query_kwargs(Event, view_kwargs, 'event_id')
query_ = query_.join(
UserFavouriteSession.session).filter_by(event_id=event.id)
elif not has_access('is_admin'):
raise ForbiddenError({'pointer': 'user_id'},
'Admin Access Required')
return query_
def after_get_object(self, event, view_kwargs):
if event and event.state == "draft":
if not is_logged_in() or not has_access('is_coorganizer',
event_id=event.id):
raise ObjectNotFound({'parameter': '{id}'}, "Event: not found")
def after_get_object(self, session, view_kwargs):
is_speaker_or_admin = is_logged_in() and has_access(
'is_speaker_for_session', id=session.id
)
if session.state not in ['accepted', 'confirmed'] and not is_speaker_or_admin:
raise ObjectNotFound({'parameter': '{id}'}, "Session: not found")
def query(self, view_kwargs):
"""
query method for EventList class
:param view_kwargs:
:return:
"""
query_ = self.session.query(Event)
if get_jwt_identity() is None or not current_user.is_staff:
# If user is not admin, we only show published events
query_ = query_.filter_by(state='published')
if is_logged_in():
# For a specific user accessing the API, we show all
# events managed by them, even if they're not published
verify_jwt_in_request()
query2 = self.session.query(Event)
query2 = (query2.join(Event.roles).filter_by(
user_id=current_user.id).join(UsersEventsRoles.role).filter(
or_(
Role.name == COORGANIZER,
Role.name == ORGANIZER,
Role.name == OWNER,
)))
query_ = query_.union(query2)
if view_kwargs.get('user_id') and 'GET' in request.method:
if not has_access('is_user_itself',
user_id=int(view_kwargs['user_id'])):
raise ForbiddenError({'source': ''}, 'Access Forbidden')
user = safe_query_kwargs(User, view_kwargs, 'user_id')
query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join(
UsersEventsRoles.role).filter(Role.name != ATTENDEE))
if view_kwargs.get('user_owner_id') and 'GET' in request.method:
if not has_access('is_user_itself',
user_id=int(view_kwargs['user_owner_id'])):
raise ForbiddenError({'source': ''}, 'Access Forbidden')
user = safe_query_kwargs(User, view_kwargs, 'user_owner_id')
query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join(
UsersEventsRoles.role).filter(Role.name == OWNER))
if view_kwargs.get('user_organizer_id') and 'GET' in request.method:
if not has_access('is_user_itself',
user_id=int(view_kwargs['user_organizer_id'])):
raise ForbiddenError({'source': ''}, 'Access Forbidden')
user = safe_query_kwargs(User, view_kwargs, 'user_organizer_id')
query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join(
UsersEventsRoles.role).filter(Role.name == ORGANIZER))
if view_kwargs.get('user_coorganizer_id') and 'GET' in request.method:
if not has_access('is_user_itself',
user_id=int(view_kwargs['user_coorganizer_id'])):
raise ForbiddenError({'source': ''}, 'Access Forbidden')
user = safe_query_kwargs(User, view_kwargs, 'user_coorganizer_id')
query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join(
UsersEventsRoles.role).filter(Role.name == COORGANIZER))
if view_kwargs.get(
'user_track_organizer_id') and 'GET' in request.method:
if not has_access('is_user_itself',
user_id=int(
view_kwargs['user_track_organizer_id'])):
raise ForbiddenError({'source': ''}, 'Access Forbidden')
user = safe_query(
User,
'id',
view_kwargs['user_track_organizer_id'],
'user_organizer_id',
)
query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join(
UsersEventsRoles.role).filter(Role.name == TRACK_ORGANIZER))
if view_kwargs.get('user_registrar_id') and 'GET' in request.method:
if not has_access('is_user_itself',
user_id=int(view_kwargs['user_registrar_id'])):
raise ForbiddenError({'source': ''}, 'Access Forbidden')
user = safe_query_kwargs(User, view_kwargs, 'user_registrar_id')
query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join(
UsersEventsRoles.role).filter(Role.name == REGISTRAR))
if view_kwargs.get('user_moderator_id') and 'GET' in request.method:
if not has_access('is_user_itself',
user_id=int(view_kwargs['user_moderator_id'])):
raise ForbiddenError({'source': ''}, 'Access Forbidden')
user = safe_query_kwargs(User, view_kwargs, 'user_moderator_id')
query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join(
UsersEventsRoles.role).filter(Role.name == MODERATOR))
if view_kwargs.get('user_marketer_id') and 'GET' in request.method:
if not has_access('is_user_itself',
user_id=int(view_kwargs['user_marketer_id'])):
raise ForbiddenError({'source': ''}, 'Access Forbidden')
user = safe_query_kwargs(User, view_kwargs, 'user_marketer_id')
query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join(
UsersEventsRoles.role).filter(Role.name == MARKETER))
if view_kwargs.get('user_sales_admin_id') and 'GET' in request.method:
if not has_access('is_user_itself',
user_id=int(view_kwargs['user_sales_admin_id'])):
raise ForbiddenError({'source': ''}, 'Access Forbidden')
user = safe_query_kwargs(User, view_kwargs, 'user_sales_admin_id')
query_ = (query_.join(Event.roles).filter_by(user_id=user.id).join(
UsersEventsRoles.role).filter(Role.name == SALES_ADMIN))
if view_kwargs.get('event_type_id') and 'GET' in request.method:
query_ = self.session.query(Event).filter(
getattr(Event, 'event_type_id') ==
view_kwargs['event_type_id'])
if view_kwargs.get('event_topic_id') and 'GET' in request.method:
query_ = self.session.query(Event).filter(
getattr(Event, 'event_topic_id') ==
view_kwargs['event_topic_id'])
if view_kwargs.get('event_sub_topic_id') and 'GET' in request.method:
query_ = self.session.query(Event).filter(
getattr(Event, 'event_sub_topic_id') ==
view_kwargs['event_sub_topic_id'])
if view_kwargs.get('discount_code_id') and 'GET' in request.method:
event_id = get_id(view_kwargs)['id']
if not has_access('is_coorganizer', event_id=event_id):
raise ForbiddenError({'source': ''},
'Coorganizer access is required')
query_ = self.session.query(Event).filter(
getattr(Event, 'discount_code_id') ==
view_kwargs['discount_code_id'])
return query_
def before_get(self, args, kwargs):
if is_logged_in() and has_access('is_admin'):
self.schema = VideoChannelSchema
else:
self.schema = VideoChannelSchemaPublic
