def test_RemoveUserFromWorkgroup(self):
# Does removing a user from a workgroup remove their permissions? It should!
wg = models.Workgroup.objects.create(name="Test WG 1")
user = get_user_model().objects.create_user('*****@*****.**','editor1')
wg.managers.add(user)
# Caching issue, refresh from DB with correct permissions
user = get_user_model().objects.get(pk=user.pk)
self.assertTrue(perms.user_in_workgroup(user,wg))
self.assertTrue(perms.user_is_workgroup_manager(user,wg))
wg.removeUser(user)
# Caching issue, refresh from DB with correct permissions
user = get_user_model().objects.get(pk=user.pk)
self.assertFalse(perms.user_is_workgroup_manager(user,wg))
def test_RemoveUserFromWorkgroup(self):
# Does removing a user from a workgroup remove their permissions? It should!
wg = models.Workgroup.objects.create(name="Test WG 1")
user = User.objects.create_user('editor1','','editor1')
wg.managers.add(user)
# Caching issue, refresh from DB with correct permissions
user = User.objects.get(pk=user.pk)
self.assertTrue(perms.user_in_workgroup(user,wg))
self.assertTrue(perms.user_is_workgroup_manager(user,wg))
wg.removeUser(user)
# Caching issue, refresh from DB with correct permissions
user = User.objects.get(pk=user.pk)
self.assertFalse(perms.user_is_workgroup_manager(user,wg))
def add_members(request, iid):
workgroup = get_object_or_404(MDR.Workgroup, pk=iid)
if not (workgroup and user_is_workgroup_manager(request.user, workgroup)):
raise PermissionDenied
if request.method == 'POST': # If the form has been submitted...
form = MDRForms.workgroups.AddMembers(
request.POST) # A form bound to the POST data
if form.is_valid():
# process the data in form.cleaned_data as required
users = form.cleaned_data['users']
roles = form.cleaned_data['roles']
for user in users:
for role in roles:
workgroup.giveRoleToUser(role, user)
return HttpResponseRedirect(
reverse("aristotle:workgroupMembers", args=[workgroup.pk]))
else:
form = MDRForms.workgroups.AddMembers(
initial={'roles': request.GET.getlist('role')})
return render(request, "aristotle_mdr/actions/addWorkgroupMember.html", {
"item": workgroup,
"form": form,
"role": request.GET.get('role')
})
def add_members(request, iid):
workgroup = get_object_or_404(MDR.Workgroup, pk=iid)
if not (workgroup and user_is_workgroup_manager(request.user, workgroup)):
raise PermissionDenied
if request.method == 'POST': # If the form has been submitted...
form = MDRForms.workgroups.AddMembers(request.POST) # A form bound to the POST data
if form.is_valid():
# process the data in form.cleaned_data as required
users = form.cleaned_data['users']
roles = form.cleaned_data['roles']
for user in users:
for role in roles:
workgroup.giveRoleToUser(role, user)
return HttpResponseRedirect(reverse("aristotle:workgroupMembers", args=[workgroup.pk]))
else:
form = MDRForms.workgroups.AddMembers(initial={'roles': request.GET.getlist('role')})
return render(
request,
"aristotle_mdr/actions/addWorkgroupMember.html",
{
"item": workgroup,
"form": form,
"role": request.GET.get('role')
}
)
def items(request, iid):
wg = get_object_or_404(MDR.Workgroup, pk=iid)
if not user_in_workgroup(request.user, wg):
raise PermissionDenied
items = MDR._concept.objects.filter(workgroup=iid).select_subclasses()
context = {"item": wg, "workgroup": wg, "user_is_admin": user_is_workgroup_manager(request.user, wg)}
return paginated_list(request, items, "aristotle_mdr/workgroupItems.html", context)
def workgroupItems(request, iid):
wg = get_object_or_404(MDR.Workgroup,pk=iid)
if not user_in_workgroup(request.user,wg):
raise PermissionDenied
renderDict = {"item":wg,"workgroup":wg,"user_is_admin":user_is_workgroup_manager(request.user,wg)}
renderDict['items'] = MDR._concept.objects.filter(workgroup=iid).select_subclasses()
page = render(request,"aristotle_mdr/workgroupItems.html",renderDict)
return page
def workgroup(request, iid):
wg = get_object_or_404(MDR.Workgroup,pk=iid)
if not user_in_workgroup(request.user,wg):
raise PermissionDenied
renderDict = {"item":wg,"workgroup":wg,"user_is_admin":user_is_workgroup_manager(request.user,wg)}
renderDict['recent'] = MDR._concept.objects.filter(workgroup=iid).select_subclasses().order_by('-modified')[:10] #.filter("modified__gt"=(timezone.now()-datetime.timedelta(days=1)))[:10]
page = render(request,wg.template,renderDict)
return page
def get_context_data(self, **kwargs):
# Get context from super-classes, because if may set value for workgroup
context = super().get_context_data(**kwargs)
context.update({
'item': self.get_object(),
'workgroup': self.get_object(),
'user_is_admin': user_is_workgroup_manager(self.request.user, self.get_object()),
})
return context
def get_context_data(self, **kwargs):
# Get context from super-classes, because if may set value for workgroup
context = super().get_context_data(**kwargs)
context.update({
'item': self.get_object(),
'workgroup': self.get_object(),
'user_is_admin': user_is_workgroup_manager(self.request.user, self.get_object()),
})
return context
def remove_role(request, iid, role, userid):
workgroup = get_object_or_404(MDR.Workgroup, pk=iid)
if not (workgroup and user_is_workgroup_manager(request.user, workgroup)):
raise PermissionDenied
try:
user = User.objects.get(id=userid)
workgroup.removeRoleFromUser(role, user)
except:
pass
return HttpResponseRedirect(reverse("aristotle:workgroupMembers", args=[workgroup.pk]))
def workgroup(request, iid, name_slug):
wg = get_object_or_404(MDR.Workgroup, pk=iid)
if not slugify(wg.name).startswith(str(name_slug)):
return redirect(wg.get_absolute_url())
if not user_in_workgroup(request.user, wg):
raise PermissionDenied
renderDict = {"item": wg, "workgroup": wg, "user_is_admin": user_is_workgroup_manager(request.user, wg)}
renderDict['recent'] = MDR._concept.objects.filter(workgroup=iid).select_subclasses().order_by('-modified')[:5]
page = render(request, wg.template, renderDict)
return page
def members(request, iid):
wg = get_object_or_404(MDR.Workgroup, pk=iid)
renderDict = {
"item": wg,
"workgroup": wg,
"user_is_admin": user_is_workgroup_manager(request.user, wg)
}
if not user_in_workgroup(request.user, wg):
raise PermissionDenied
return render(request, "aristotle_mdr/workgroupMembers.html", renderDict)
def archive(request, iid):
workgroup = get_object_or_404(MDR.Workgroup, pk=iid)
if not (workgroup and user_is_workgroup_manager(request.user, workgroup)):
raise PermissionDenied
if request.method == 'POST': # If the form has been submitted...
workgroup.archived = not workgroup.archived
workgroup.save()
return HttpResponseRedirect(workgroup.get_absolute_url())
else:
return render(request, "aristotle_mdr/actions/archive_workgroup.html", {"item": workgroup})
def archive(request, iid):
workgroup = get_object_or_404(MDR.Workgroup, pk=iid)
if not (workgroup and user_is_workgroup_manager(request.user, workgroup)):
raise PermissionDenied
if request.method == 'POST': # If the form has been submitted...
workgroup.archived = not workgroup.archived
workgroup.save()
return HttpResponseRedirect(workgroup.get_absolute_url())
else:
return render(request, "aristotle_mdr/actions/archive_workgroup.html",
{"item": workgroup})
def remove_role(request, iid, role, userid):
workgroup = get_object_or_404(MDR.Workgroup, pk=iid)
if not (workgroup and user_is_workgroup_manager(request.user, workgroup)):
raise PermissionDenied
try:
user = User.objects.get(id=userid)
workgroup.removeRoleFromUser(role, user)
except:
pass
return HttpResponseRedirect(
reverse("aristotle:workgroupMembers", args=[workgroup.pk]))
def items(request, iid):
wg = get_object_or_404(MDR.Workgroup, pk=iid)
if not user_in_workgroup(request.user, wg):
raise PermissionDenied
items = MDR._concept.objects.filter(workgroup=iid).select_subclasses()
context = {
"item": wg,
"workgroup": wg,
"user_is_admin": user_is_workgroup_manager(request.user, wg)
}
return paginated_list(request, items, "aristotle_mdr/workgroupItems.html",
context)
def removeWorkgroupRole(request,iid,rolename,userid):
workgroup = get_object_or_404(MDR.Workgroup,pk=iid)
if not (workgroup and user_is_workgroup_manager(request.user,workgroup)):
if request.user.is_anonymous():
return redirect('/accounts/login?next=%s' % request.path)
else:
raise PermissionDenied
try:
user = User.objects.get(id=userid)
workgroup.removeRoleFromUser(rolename,user)
except:
pass
return HttpResponseRedirect('/workgroup/%s/members'%(workgroup.id))
def workgroup(request, iid, name_slug):
wg = get_object_or_404(MDR.Workgroup, pk=iid)
if not slugify(wg.name).startswith(str(name_slug)):
return redirect(wg.get_absolute_url())
if not user_in_workgroup(request.user, wg):
raise PermissionDenied
renderDict = {
"item": wg,
"workgroup": wg,
"user_is_admin": user_is_workgroup_manager(request.user, wg)
}
renderDict['recent'] = MDR._concept.objects.filter(
workgroup=iid).select_subclasses().order_by('-modified')[:5]
page = render(request, wg.template, renderDict)
return page
def is_workgroup_manager(user,workgroup):
"""
A filter that acts as a wrapper around ``aristotle_mdr.perms.user_is_workgroup_manager``.
Returns true if the user has permission to administer the workgroup, otherwise it returns False.
If calling ``user_is_workgroup_manager`` throws an exception it safely returns False.
For example::
{% if request.user|is_workgroup_manager:workgroup %}
{{ something }}
{% endif %}
"""
try:
return perms.user_is_workgroup_manager(user,workgroup)
except:
return False
def test_is_workgroup_manager(self):
self.assertTrue(perms.user_is_workgroup_manager(self.su,None))
wg = models.Workgroup.objects.create(name="Test WG")
self.assertTrue(perms.user_is_workgroup_manager(self.su,wg))
def has_perm(self, user_obj, perm, obj=None):
if not user_obj.is_active:
return False
if user_obj.is_superuser:
return True
app_label, perm_name = perm.split('.', 1)
extensions = fetch_aristotle_settings().get('CONTENT_EXTENSIONS', [])
if app_label == "aristotle_mdr" and hasattr(perms, perm_name):
return getattr(perms, perm_name)(user_obj, obj)
from django.apps import apps
from aristotle_mdr.models import _concept
perm_parts = perm_name.split("_")
if len(perm_parts) == 2:
model = apps.get_model(app_label, perm_parts[1])
elif obj is not None:
model = type(obj)
else:
model = int
if app_label in extensions + ["aristotle_mdr"] and issubclass(model, _concept):
# This is required so that a user can correctly delete the 'concept' parent class in the admin site.
# This is a rough catch all, and is designed to indicate a user could
# delete an item type, but not a specific item.
if (
perm_name.startswith('delete_') or
perm_name.startswith('create_') or
perm_name.startswith('add_')
):
if obj is None:
return perms.user_is_editor(user_obj)
else:
return perms.user_can_edit(user_obj, obj)
if app_label in extensions + ["aristotle_mdr"]:
if perm_name == "delete_concept_from_admin":
return obj is None or perms.user_can_edit(user_obj, obj)
if perm == "aristotle_mdr.can_create_metadata":
return perms.user_is_editor(user_obj)
if perm == "aristotle_mdr.view_workgroup":
return perms.user_in_workgroup(user_obj, obj)
if perm == "aristotle_mdr.can_leave_workgroup":
return perms.user_in_workgroup(user_obj, obj)
if perm == "aristotle_mdr.change_workgroup_memberships":
return perms.user_is_workgroup_manager(user_obj, obj)
if perm == "aristotle_mdr.change_workgroup":
return perms.user_is_workgroup_manager(user_obj, obj)
if perm == "aristotle_mdr.can_archive_workgroup":
return perms.user_is_workgroup_manager(user_obj, obj)
if perm == "aristotle_mdr.can_view_discussions_in_workgroup":
return perms.user_in_workgroup(user_obj, obj)
if perm == "aristotle_mdr.can_post_discussion_in_workgroup":
return perms.user_in_workgroup(user_obj, obj)
if perm == "aristotle_mdr.can_view_discussion_post":
return perms.user_in_workgroup(user_obj, obj.workgroup)
if perm == "aristotle_mdr.view_registrationauthority_details":
return (
perms.user_is_registation_authority_manager(user_obj, obj) or
perms.user_is_registrar(user_obj, obj)
)
if perm == "aristotle_mdr.change_registrationauthority":
return perms.user_is_registation_authority_manager(user_obj, obj)
if perm == "aristotle_mdr.change_registrationauthority_memberships":
return perms.user_is_registation_authority_manager(user_obj, obj)
from aristotle_mdr.contrib.links import perms as link_perms
if perm == "aristotle_mdr_links.add_link":
return link_perms.user_can_make_link(user_obj)
return super().has_perm(user_obj, perm, obj)
def test_is_workgroup_manager(self):
self.assertTrue(perms.user_is_workgroup_manager(self.su,None))
def has_perm(self, user_obj, perm, obj=None):
if not user_obj.is_active:
return False
if user_obj.is_superuser:
return True
app_label, perm_name = perm.split('.', 1)
extensions = fetch_aristotle_settings().get('CONTENT_EXTENSIONS', [])
if app_label == "aristotle_mdr" and hasattr(perms, perm_name):
return getattr(perms, perm_name)(user_obj, obj)
from django.apps import apps
from aristotle_mdr.models import _concept
perm_parts = perm_name.split("_")
if len(perm_parts) == 2:
model = apps.get_model(app_label, perm_parts[1])
else:
model = int
if app_label in extensions + ["aristotle_mdr"] and issubclass(
model, _concept):
# This is required so that a user can correctly delete the 'concept' parent class in the admin site.
# This is a rough catch all, and is designed to indicate a user could
# delete an item type, but not a specific item.
if (perm_name.startswith('delete_')
or perm_name.startswith('create_')
or perm_name.startswith('add_')):
if obj is None:
return perms.user_is_editor(user_obj)
else:
return perms.user_can_edit(user_obj, obj)
if app_label in extensions + ["aristotle_mdr"]:
if perm_name == "delete_concept_from_admin":
return obj is None or perms.user_can_edit(user_obj, obj)
if perm == "aristotle_mdr.can_create_metadata":
return perms.user_is_editor(user_obj)
if perm == "aristotle_mdr.view_workgroup":
return perms.user_in_workgroup(user_obj, obj)
if perm == "aristotle_mdr.can_leave_workgroup":
return perms.user_in_workgroup(user_obj, obj)
if perm == "aristotle_mdr.change_workgroup_memberships":
return perms.user_is_workgroup_manager(user_obj, obj)
if perm == "aristotle_mdr.change_workgroup":
return perms.user_is_workgroup_manager(user_obj, obj)
if perm == "aristotle_mdr.can_archive_workgroup":
return perms.user_is_workgroup_manager(user_obj, obj)
if perm == "aristotle_mdr.can_view_discussions_in_workgroup":
return perms.user_in_workgroup(user_obj, obj)
if perm == "aristotle_mdr.can_post_discussion_in_workgroup":
return perms.user_in_workgroup(user_obj, obj)
if perm == "aristotle_mdr.can_view_discussion_post":
return perms.user_in_workgroup(user_obj, obj.workgroup)
if perm == "aristotle_mdr.view_registrationauthority_details":
return (perms.user_is_registation_authority_manager(user_obj, obj)
or perms.user_is_registrar(user_obj, obj))
if perm == "aristotle_mdr.change_registrationauthority":
return perms.user_is_registation_authority_manager(user_obj, obj)
if perm == "aristotle_mdr.change_registrationauthority_memberships":
return perms.user_is_registation_authority_manager(user_obj, obj)
from aristotle_mdr.contrib.links import perms as link_perms
if perm == "aristotle_mdr_links.add_link":
return link_perms.user_can_make_link(user_obj)
return super(AristotleBackend, self).has_perm(user_obj, perm, obj)
def is_workgroup_manager(self, wg=None):
return perms.user_is_workgroup_manager(self.user, wg)
def is_workgroup_manager(self,wg):
return perms.user_is_workgroup_manager(self.user,wg)
def test_is_workgroup_manager(self):
wg = models.Workgroup.objects.create(name="Test WG", stewardship_organisation=self.steward_org_1)
self.assertTrue(perms.user_is_workgroup_manager(self.su,wg))
def members(request, iid):
wg = get_object_or_404(MDR.Workgroup, pk=iid)
renderDict = {"item": wg, "workgroup": wg, "user_is_admin": user_is_workgroup_manager(request.user, wg)}
if not user_in_workgroup(request.user, wg):
raise PermissionDenied
return render(request, "aristotle_mdr/workgroupMembers.html", renderDict)
