def has_permission(context, model, permission, obj=None): """ :param model: 'app_label.model' """ membership = context['current_membership'] return (shortcuts.has_role_permission(membership, model, permission) or shortcuts.has_object_permission(membership, obj, permission))
def get_queryset(self): queryset = super(MeetingsFilteredQuerysetMixin, self).get_queryset() if not has_role_permission(self.get_current_membership(), Meeting, PERMISSIONS.edit): queryset = queryset.filter(status=Meeting.STATUSES.published) default_filters = {'order_by': 'asc', 'committee': '__all__'} self.form = MeetingFilter(self.get_current_membership(), self.request.GET, initial=default_filters) filters = self.form.cleaned_data if self.form.is_valid( ) else default_filters if filters['committee'] == '__full__': queryset = queryset.filter(committee=None) elif filters['committee'] != '__all__' and filters[ 'committee'].isdigit(): queryset = queryset.filter(committee=filters['committee']) if filters['order_by'] == 'desc': queryset = queryset.order_by('-next_repetition__date') else: queryset = queryset.order_by('next_repetition__date') return queryset.select_related('committee')
def check_permissions(self, request): super(RestPermissionMixin, self).check_permissions(request) # Manual handling of @login_required to return proper response for API usage (not a redirect) if not request.user.is_authenticated: self.permission_denied(request) account = get_current_account_for_url(request, self.kwargs['url']) membership = request.user.get_membership(account) if hasattr(self, 'get_model_permission'): # Support dynamic permissions model, permission = self.get_model_permission(request) else: model, permission = self.permission obj = self.get_permission_object() if (self.and_permission(account, membership) and ((has_role_permission(membership, model, permission) or has_object_permission(membership, obj, permission)) or self.or_permission(account, membership))): return # Soft land folder urls to root folder instead of 403 if 'folders/' in request.path: self.permission_denied(request, "No access to this folder")
def get_queryset(self): account = get_current_account(self.request) membership = self.request.user.get_membership(account) queryset = News.objects.filter(account=account) if has_role_permission(membership, News, PERMISSIONS.edit): return queryset return queryset.filter( Q(is_publish=True) | Q(created_member=membership))
def dispatch(self, request, *args, **kwargs): account = get_current_account(request) membership = request.user.get_membership(account) model, permission = self.permission obj = self.get_permission_object() if (self.and_permission(account, membership) and ((has_role_permission(membership, model, permission) or has_object_permission(membership, obj, permission)) or self.or_permission(account, membership))): return super(PermissionMixin, self).dispatch(request, *args, **kwargs) # Soft land folder urls to root folder instead of 403 if 'folders/' in request.path: return redirect('folders:rootfolder_detail', url=account.url) raise PermissionDenied()
def get_object(self, queryset=None): # can't use PermissionMixin because there's no current_account when reactivating if 'account_id' in self.request.GET: form = AccountReactivateForm(self.request.GET) if form.is_valid(): account = get_object_or_404(self.request.user.accounts.all(), id=form.cleaned_data['account_id']) else: raise PermissionDenied() elif get_current_account(self.request): account = get_current_account(self.request) else: raise PermissionDenied( ) # !!! should redirect to /accounts/ in future. Fix in WEB-160. # handle permissions manually membership = self.request.user.get_membership(account=account) if not has_role_permission(membership, Account, PERMISSIONS.edit): raise PermissionDenied() return account
def form_valid(self, form): account_id = form.cleaned_data['account_id'] account = Account.objects.get(id=account_id) membership = self.request.user.get_membership(account) if not (account.can_be_activated() and has_role_permission( membership, Account, PERMISSIONS.edit)): raise PermissionDenied() account._update_subscription() if account.is_trial() or account.stripe_customer_id: account.is_active = True account.date_cancel = None account.save() messages.success(self.request, _('Account was reactivated successfully.')) else: messages.error( self.request, _('There was a problem with your billing information.')) data = {'url': reverse('accounts:boards')} return self.render_to_json_response(data)
def has_role_permission(membership, permission_string): """ :param permission_string: 'app_label.model:permission'. """ model, permission = permission_string.split(':') return shortcuts.has_role_permission(membership, model, permission)
def __init__(self, *args, **kwargs): is_event = kwargs.pop('is_event') super(MeetingAddForm, self).__init__(*args, **kwargs) self.fields['committee'].label = _('Attendees') self.fields['committee'].empty_label = _('All Board Members') self.fields['name'].widget.attrs['placeholder'] = \ _('Untitled Event') if is_event else _('Untitled Meeting') self.fields['description'].widget.attrs['placeholder'] = \ _('Event Description') if is_event else _('Meeting Description') membership = self.initial.get('membership') account = self.initial.get('account') meeting = self.instance assert isinstance(meeting, Meeting) top_locations = self.get_locations() if account.default_meetings_location and len( account.default_meetings_location) > 0: init_location = account.default_meetings_location elif top_locations and len(top_locations) > 0: init_location = top_locations[0] else: init_location = "" self.fields['location'] = \ forms.CharField(label=_('Location'), widget=LocationWidget(data_list=top_locations), initial=init_location, max_length=250, required=True) queryset = Committee.objects.filter(account=account) if has_role_permission(membership, Committee, PERMISSIONS.add): # can add meeting for any committee self.fields['committee'].queryset = queryset else: # can add meeting only if chairman self.fields['committee'].queryset = \ queryset.filter(Q(chairman=membership) | Q(chairman__in=membership.get_bosses())) self.fields['repeat_end_date'] = \ forms.DateField(label=_('Repeat end date'), input_formats=['%b. %d, %Y'], widget=forms.DateInput(attrs={'placeholder': '{:%b. %d, %Y}'.format(timezone.now())}), required=False) self.fields['date'] = \ forms.DateField(label=_('Date'), input_formats=['%b. %d, %Y'], widget=forms.DateInput(attrs={'placeholder': '{:%b. %d, %Y}'.format(timezone.now())}), required=True) self.fields['time_start'] = forms.TimeField( label=_('From'), input_formats=['%I:%M %p'], widget=forms.TimeInput(attrs={'class': 'from'}), required=True) self.fields['time_end'] = forms.TimeField( label=_('To'), input_formats=['%I:%M %p'], widget=forms.TimeInput(attrs={'class': 'to'}), required=True) self.fields['action'] = forms.ChoiceField( meeting_action_choices(meeting, membership)) members = Membership.objects.filter( account=account, user__is_active=True, is_active=True).select_related('user') self.fields['extra_members'] = \ forms.ModelMultipleChoiceField(members, label=_('Additional Attendees'), required=False, widget=forms.SelectMultiple(attrs={'class': 'default'})) key_order = [ 'name', 'description', 'committee', 'extra_members', 'date', 'time_start', 'time_end', 'location', 'action', 'repeat_type', 'repeat_interval', 'repeat_max_count', 'repeat_end_date', 'repeat_week_days', 'repeat_end_type' ] self.fields = reorder_form_fields(self.fields, key_order) if not is_event: self.fields['board_book'] = forms.FileField( label=_('Add Board Book'), required=False) self.fields['agenda'] = forms.FileField(label=_('Add Agenda'), required=False) self.fields['minutes'] = forms.FileField(label=_('Add Minutes'), required=False) self.fields['other'] = forms.FileField(label=_('Add Other Documents'), required=False) self.fields['uploaded'] = forms.CharField(widget=forms.HiddenInput(), required=False) self.fields['repeat_end_type'].initial = meeting.repeat_end_type if meeting.pk: start = timezone.localtime(meeting.start) end = timezone.localtime(meeting.end) self.fields['date'].initial = start.strftime("%b. %d, %Y") self.initial['repeat_end_date'] = \ meeting.repeat_end_date.strftime("%b. %d, %Y") if meeting.repeat_end_date else None self.fields['time_start'].initial = start.strftime("%I:%M %p") self.fields['time_end'].initial = end.strftime("%I:%M %p")