def notify_message(sender, instance, **kwargs):
from curia.notifications.models import Notification
try:
Notification.objects.get(user=instance.receiver,
object_id=instance.sender.id,
content_type=get_content_type(instance))
except Notification.DoesNotExist:
new_notification = Notification(
user=instance.receiver,
object_id=instance.sender.id,
content_type=get_content_type(instance),
title=u'%s: %s' % (smart_unicode(
instance.sender), smart_unicode(instance.message[:17])),
url=instance.get_absolute_url())
new_notification.save()
def grant_access(command, obj, user=None, group=None):
from curia.authentication.models import GroupPermission, UserPermission
content_type = get_content_type(obj)
if group != None:
GroupPermission.objects.create(group=group, command=command, deny=False, content_type=content_type, object_id=obj.id)
if user != None:
UserPermission.objects.create(user=user, command=command, deny=False, content_type=content_type, object_id=obj.id)
def grant_access(command, obj, user=None, group=None):
from curia.authentication.models import GroupPermission, UserPermission
content_type = get_content_type(obj)
if group != None:
GroupPermission.objects.create(group=group,
command=command,
deny=False,
content_type=content_type,
object_id=obj.id)
if user != None:
UserPermission.objects.create(user=user,
command=command,
deny=False,
content_type=content_type,
object_id=obj.id)
def has_access_on_content_type(user, content_type, command):
from curia.authentication.models import UserPermission
user_permissions = get_objects_from(UserPermission,
user=user,
command=command + ' ' +
content_type.name,
content_type=get_content_type(user),
object_id=user.id)
if len(user_permissions) != 0:
if user_permissions[0].deny:
return PermissionResponse(
False, u'user is denied permissions on content type')
else:
return PermissionResponse(True,
u'user has permissions on content type')
return None
def has_admin_access(user, obj, content_type, command):
from curia.authentication.models import UserPermission
try:
community = get_current_community()
permission = UserPermission.objects.get(
user=user,
object_id=community.id,
content_type=get_content_type(community),
command='administrate %s' % content_type)
if permission.deny:
return PermissionResponse(
False, u'user is anti-admin for %s' % content_type)
else:
return PermissionResponse(True,
u'user is admin for %s' % content_type)
except UserPermission.DoesNotExist:
return None
def has_group_access_on_content_type(user, content_type, command):
if user == get_public_user():
return None
from curia.authentication.models import GroupPermission
for group in user.groups.exclude(name='everyone'):
group_permissions = get_objects_from(
GroupPermission,
group=group,
command=command + ' ' + content_type.name,
content_type=get_content_type(user),
object_id=user.id)
if len(group_permissions) != 0:
if user_permissions[0].deny:
return PermissionResponse(
False,
u'user is a member of %s that is denied access to content type'
% group)
else:
return PermissionResponse(
True,
u'user is a member of % with access to content type' %
group)
return None
def has_perm(user, obj, command):
owner = get_owner(obj)
if owner == user:
return PermissionResponse(True,
'user always has access on owned objects')
from curia.authentication.models import GroupPermission
from django.contrib.auth.models import User, Group
if get_community_of(obj).meta.created_by == user:
return PermissionResponse(True, 'user is creator of current community')
if command == 'add':
if hasattr(obj, 'deleted') and obj.deleted:
return PermissionResponse(
True, 'add access is always denied on deleted objects')
# translate from function naming convention to django permission naming convention
if command == 'edit':
command = 'change'
if obj == None:
obj = user
if obj == user and command == 'view':
return PermissionResponse(True, u'user can always view himself')
if user.is_anonymous():
return has_perm(get_public_user(), obj, command)
if user != get_public_user():
p = has_perm(user=get_public_user(), obj=obj, command=command)
if p:
return p
response = has_django_perm(user, obj, command)
if response is not None:
return response
content_type = get_content_type(obj)
if user != get_public_user():
response = has_admin_access(user, obj, content_type, command)
if response is not None:
return response
response = has_access_on_object(user, obj, content_type, command)
if response is not None:
return response
response = has_group_access_on_object(user, obj, content_type, command)
if response is not None:
return response
# check content type level access
everyone_permissions = get_objects_from(GroupPermission,
group=get_everyone_group(),
command=command,
content_type=content_type,
object_id=obj.id)
if len(everyone_permissions) != 0:
if everyone_permissions[0].deny:
return PermissionResponse(False, u'everyone is denied access')
else:
return PermissionResponse(True, u'everyone is granted access')
response = has_access_on_content_type(user, content_type, command)
if response is not None:
return response
response = has_group_access_on_content_type(user, content_type, command)
if response is not None:
return response
if owner != None:
# check global access on the owner
response = has_perm(user=user, obj=owner, command=command)
# ignore access denied here, because we will check defaults and then return access denied later if need be
if response:
return response
# default access levels
if obj == user:
return PermissionResponse(
True, u'user has full access on self unless specifically denied')
if command == 'view' or command == 'add':
if isinstance(obj, Group):
if user in obj.user_set.all():
return PermissionResponse(
True,
'everyone has view and add access by default in groups they are part of'
)
community = get_current_community()
if obj != community and get_community_of(obj) != community:
raise WrongCommunityException(obj)
if command == 'view' and isinstance(obj, User):
if obj in community.user_set.all() and user in community.user_set.all(
):
return PermissionResponse(
True,
u'everyone has view access on a user if they are in a community that the user in question is a member of'
)
#if (command == 'change' or command == 'add') and isinstance(obj, Group):
# if obj.id in [group.id for group in user.groups.all()]:
# return PermissionResponse(True, 'members have change access by default on groups they are a member of')
if hasattr(obj, 'has_default_permission'):
response = obj.has_default_permission(user, command)
if response is not None:
return response
if ' ' in command:
return has_perm(user=user, obj=obj, command=command.split()[0])
return PermissionResponse(
False, u'%s has no %s permissions on %s' % (user, command, obj))
def notify_message(sender, instance, **kwargs):
from curia.notifications.models import Notification
try:
Notification.objects.get(user=instance.receiver, object_id=instance.sender.id, content_type=get_content_type(instance))
except Notification.DoesNotExist:
new_notification = Notification(user=instance.receiver, object_id=instance.sender.id, content_type=get_content_type(instance), title=u'%s: %s' % (smart_unicode(instance.sender), smart_unicode(instance.message[:17])), url=instance.get_absolute_url())
new_notification.save()
def content_type(value):
return get_content_type(value)
def has_perm(user, obj, command):
owner = get_owner(obj)
if owner == user:
return PermissionResponse(True, 'user always has access on owned objects')
from curia.authentication.models import GroupPermission
from django.contrib.auth.models import User, Group
if get_community_of(obj).meta.created_by == user:
return PermissionResponse(True, 'user is creator of current community')
if command == 'add':
if hasattr(obj, 'deleted') and obj.deleted:
return PermissionResponse(True, 'add access is always denied on deleted objects')
# translate from function naming convention to django permission naming convention
if command == 'edit':
command = 'change'
if obj == None:
obj = user
if obj == user and command == 'view':
return PermissionResponse(True, u'user can always view himself')
if user.is_anonymous():
return has_perm(get_public_user(), obj, command)
if user != get_public_user():
p = has_perm(user=get_public_user(), obj=obj, command=command)
if p:
return p
response = has_django_perm(user, obj, command)
if response is not None:
return response
content_type = get_content_type(obj)
if user != get_public_user():
response = has_admin_access(user, obj, content_type, command)
if response is not None:
return response
response = has_access_on_object(user, obj, content_type, command)
if response is not None:
return response
response = has_group_access_on_object(user, obj, content_type, command)
if response is not None:
return response
# check content type level access
everyone_permissions = get_objects_from(GroupPermission, group=get_everyone_group(), command=command, content_type=content_type, object_id=obj.id)
if len(everyone_permissions) != 0:
if everyone_permissions[0].deny:
return PermissionResponse(False, u'everyone is denied access')
else:
return PermissionResponse(True, u'everyone is granted access')
response = has_access_on_content_type(user, content_type, command)
if response is not None:
return response
response = has_group_access_on_content_type(user, content_type, command)
if response is not None:
return response
if owner != None:
# check global access on the owner
response = has_perm(user=user, obj=owner, command=command)
# ignore access denied here, because we will check defaults and then return access denied later if need be
if response:
return response
# default access levels
if obj == user:
return PermissionResponse(True, u'user has full access on self unless specifically denied')
if command == 'view' or command == 'add':
if isinstance(obj, Group):
if user in obj.user_set.all():
return PermissionResponse(True, 'everyone has view and add access by default in groups they are part of')
community = get_current_community()
if obj != community and get_community_of(obj) != community:
raise WrongCommunityException(obj)
if command == 'view' and isinstance(obj, User):
if obj in community.user_set.all() and user in community.user_set.all():
return PermissionResponse(True, u'everyone has view access on a user if they are in a community that the user in question is a member of')
#if (command == 'change' or command == 'add') and isinstance(obj, Group):
# if obj.id in [group.id for group in user.groups.all()]:
# return PermissionResponse(True, 'members have change access by default on groups they are a member of')
if hasattr(obj, 'has_default_permission'):
response = obj.has_default_permission(user, command)
if response is not None:
return response
if ' ' in command:
return has_perm(user=user, obj=obj, command=command.split()[0])
return PermissionResponse(False, u'%s has no %s permissions on %s' % (user, command, obj))
def has_admin_access(user, obj, content_type, command):
from curia.authentication.models import UserPermission
try:
community = get_current_community()
permission = UserPermission.objects.get(user=user, object_id=community.id, content_type=get_content_type(community), command='administrate %s' % content_type)
if permission.deny:
return PermissionResponse(False, u'user is anti-admin for %s' % content_type)
else:
return PermissionResponse(True, u'user is admin for %s' % content_type)
except UserPermission.DoesNotExist:
return None
def has_group_access_on_content_type(user, content_type, command):
if user == get_public_user():
return None
from curia.authentication.models import GroupPermission
for group in user.groups.exclude(name='everyone'):
group_permissions = get_objects_from(GroupPermission, group=group, command=command+' '+content_type.name, content_type=get_content_type(user), object_id=user.id)
if len(group_permissions) != 0:
if user_permissions[0].deny:
return PermissionResponse(False, u'user is a member of %s that is denied access to content type' % group)
else:
return PermissionResponse(True, u'user is a member of % with access to content type' % group)
return None
def has_access_on_content_type(user, content_type, command):
from curia.authentication.models import UserPermission
user_permissions = get_objects_from(UserPermission, user=user, command=command+' '+content_type.name, content_type=get_content_type(user), object_id=user.id)
if len(user_permissions) != 0:
if user_permissions[0].deny:
return PermissionResponse(False, u'user is denied permissions on content type')
else:
return PermissionResponse(True, u'user has permissions on content type')
return None
def content_type(value):
return get_content_type(value)
