def they_can_get_applications(user, they): if user.get('is_superuser'): they.can(GET, 'Application') elif has_role(user, 'flod_saksbehandlere'): they.can(GET, 'Application') elif has_role(user, 'flod_brukere'): they.can(GET, 'Application', partial(if_resource_owner, user=user)) elif is_idporten_user(user): they.can(GET, 'Application', partial(if_application_owner, user=user))
def filter_applications(applications, cookies): """Filter applications based on user roles""" is_superuser = verify_superuser_auth_token( request.cookies.get('auth_token')) if is_superuser: # No filter for superuser return applications user = get_user(request.cookies) if user is None: abort(401) if has_role(user, 'flod_saksbehandlere'): # No filter for flod_saksbehandlere return applications if has_role(user, 'flod_brukere'): # Administratosr should only see applications for resources they own remote_resource_ids = [c['resource_id'] for c in user.get('credentials', []) if c['id'].startswith('CAN_EDIT_FACILITY_')] # Need to map the ids in the credentials which uses remote ids # to the local ones used in booking. uris = ["/facilities/%s" % i for i in remote_resource_ids] res = current_app.db_session.query(Resource).filter(Resource.uri.in_(uris)).all() local_resource_ids = [r.id for r in res] applications = applications.filter( Application.resource_id.in_(local_resource_ids) ) else: # External users should only see their own applications and the applications belonging to their organisations org_ids = [] orgs = get_person_from_web('/persons/%s/organisations/' % user['person_id']) org_uris = [org.get('uri') for org in orgs] if len(org_uris) > 0: res = current_app.db_session.query(Organisation).filter(Organisation.uri.in_(org_uris)).all() org_ids = [o.id for o in res] person_uri = '/persons/{}'.format(user['person_id']) if len(org_ids) == 0: applications = applications.filter( Application.person.has(uri=person_uri) ) else: applications = applications.filter( or_( Application.person.has(uri=person_uri), Application.organisation_id.in_(org_ids) ) ) return applications
def they_can_post_applications(user, they): if user.get('is_superuser'): they.can(POST, 'Application') elif has_role(user, 'flod_saksbehandlere'): they.can(POST, 'Application') elif has_role(user, 'flod_brukere'): they.can(POST, 'Application') # External users elif is_idporten_user(user): they.can(POST, 'Application')
def they_can_put_resources(user, they): if user.get('is_superuser'): they.can(PUT, 'Resource') elif has_role(user, 'flod_saksbehandlere'): they.can(PUT, 'Resource') elif has_role(user, 'flod_lokaler_admin'): they.can(PUT, 'Resource') else: they.can(PUT, 'Resource', partial(if_resource_owner, user=user))
def they_can_put_applications(user, they): if user.get('is_superuser'): they.can(PUT, 'Application') elif has_role(user, 'flod_saksbehandlere'): they.can(PUT, 'Application') else: they.can(PUT, 'Application', partial(if_resource_owner, user=user))
def they_can_delete_applications(user, they): if user.get('is_superuser'): they.can(DELETE, 'Application') elif has_role(user, 'flod_saksbehandlere'): they.can(DELETE, 'Application') else: they.can(DELETE, 'Application', partial(if_application_owner, user=user))
def they_can_delete_slots(user, they): if user.get('is_superuser') or has_role(user, 'flod_saksbehandlere'): they.can(DELETE, 'Slot') they.can(DELETE, 'StrotimeSlot') they.can(DELETE, 'RepeatingSlot') else: they.can(DELETE, 'Slot', partial(if_slot_owner, user=user)) they.can(DELETE, 'StrotimeSlot', partial(if_slot_owner, user=user)) they.can(DELETE, 'RepeatingSlot', partial(if_slot_owner, user=user))
def they_can_manage_rammetid(user, they): if user.get('is_superuser') or has_role(user, 'flod_saksbehandlere'): they.can(POST, 'Rammetid') they.can(PUT, 'Rammetid') they.can(DELETE, 'Rammetid') # External users elif is_idporten_user(user): they.can(POST, RammetidToApplication, partial(if_can_post_rammetid_to_application, user=user))
def they_can_delete_blocked_time(user, they): if user.get('is_superuser'): they.can(DELETE, 'BlockedTimeInterval') they.can(DELETE, 'WeeklyBlockedTime') elif has_role(user, 'flod_saksbehandlere'): they.can(DELETE, 'BlockedTimeInterval') they.can(DELETE, 'WeeklyBlockedTime') else: they.can(DELETE, 'BlockedTimeInterval', partial(if_resource_owner, user=user)) they.can(DELETE, 'WeeklyBlockedTime', partial(if_resource_owner, user=user))
def verify_user_role(self, role): auth_token = request.cookies.get("auth_token", None) if auth_token is None: return False username = unsign_auth_token(auth_token) try: user = repo.get_user_by_id(username, request.cookies) return repo.has_role(user, role) except Exception: return False
def if_resource_owner(resource, user): if not has_role(user, 'flod_brukere'): return False # Check if resource is actually a model with a resource property # (e.g. Application) if hasattr(resource, 'resource'): resource = resource.resource resource_details = get_resource_from_web(resource.uri) resource_id = resource_details.get('id') if resource_id is None: return False return can_user_edit_facility(user['id'], resource_id, request.cookies)
def get_display_name(application): if application.organisation: try: org = get_organisation_from_web(application.organisation.uri) return org.get('name') except werkzeug.exceptions.NotFound: return u'Ad-hoc aktør' user = get_user(request.cookies) show_person = user is not None and has_role(user, 'flod_saksbehandlere') if show_person: person = get_person_from_web(application.person.uri) return '%s, %s' % (person.get('last_name', ''), person.get('first_name', '')) return "Privatperson"
def they_can_post_leieform(user, they): if has_role(user, 'flod_lokaler_admin'): they.can(POST, 'Settings')
def they_can_delete_organisations(user, they): if user.get('is_superuser') or has_role(user, u'flod_aktørregister_admin'): they.can(DELETE, 'Organisation')
def they_can_manage_notifications(user, they): if user.get('is_superuser') or has_role(user, 'flod_saksbehandlere'): they.can(POST, 'ArrangementNotification') they.can(POST, 'StrotimeApplicationNotification') they.can(GET, 'ArrangementConflict')
def put(self, application_id): data = request.get_json() application = self.get_object_by_id(application_id) ensure(PUT, application) status = data.get("status", None) resource_uri = data["resource"]["uri"] application_message = data.get("message", "") to_be_invoiced = data.get("to_be_invoiced", None) invoice_amount = data.get("invoice_amount") or None if invoice_amount is not None and type(invoice_amount) is not int \ and not invoice_amount.isdigit(): abort(400, __error__=[u'Fakturabeløp må være heltall']) resource = get_resource_for_uri(resource_uri) if not resource: abort(404) resource_details = get_resource_from_web(application.resource.uri) if not resource_details: abort(404) settings = SettingsResource().get() user = get_user(request.cookies) # Check that the resource allows the type of application if application.get_type() == "single" and not resource.single_booking_allowed: abort(403, __error__=[u'Det er ikke mulig å behandle en søknad om engangslån fordi type utlån er deaktivert for lokalet']) if application.get_type() == "repeating" and (not resource.repeating_booking_allowed or \ (resource.repeating_booking_allowed and not settings["repeating_booking_allowed"] and not has_role(user, 'flod_saksbehandlere'))): abort(403, __error__=[u'Det er ikke mulig å behandle en søknad om fast lån fordi type utlån er deaktivert for lokalet']) # The application might have been moved to a different resource. application.resource = resource if status == "Pending": application.amenities = application.requested_amenities application.accessibility = application.requested_accessibility application.equipment = application.requested_equipment application.suitability = application.requested_suitability application.facilitators = application.requested_facilitators else: application.amenities = data.get('amenities') application.accessibility = data.get('accessibility') application.equipment = data.get('equipment') application.suitability = data.get('suitability') application.facilitators = data.get('facilitators') slot_data = data.get("slots", None) if status == "Granted" and not slot_data: abort(403, __error__=[u'Tildelt tid mangler']) if application.get_type() == "single": slots = [parse_single_slot(slot, application) for slot in slot_data] application.single_slots = slots elif application.get_type() == "repeating": slots = [parse_repeating_slot(slot, application) for slot in slot_data] application.repeating_slots = slots # Check if there are any conflicts for slot in slots: if application.get_type() == "single": start_date = slot.start_time.date() end_date = slot.end_time.date() week_day = slot.start_time.isoweekday() start_time = slot.start_time.time() end_time = slot.end_time.time() elif application.get_type() == "repeating": start_date = slot.start_date end_date = slot.end_date week_day = slot.week_day start_time = slot.start_time end_time = slot.end_time if application.get_type() == "single": self.validate_end_date_of_slot(settings["single_booking_enddate"], end_date.isoformat(), u'engangslån') elif application.get_type() == "repeating": self.validate_end_date_of_slot(settings["repeating_booking_enddate"], end_date.isoformat(), u'fast lån') self.validate_start_and_end_times(start_date, end_date, start_time, end_time) if application.is_arrangement or status == "Denied": # NOTE: Arrangements trumph all other applications. If we reject an application, we dont nede to # check if the time is available... pass else: if self.is_conflict_slot_time(resource, start_date, end_date, week_day, start_time, end_time) or \ self.is_conflict_rammetid(resource, start_date, end_date, week_day, start_time, end_time): abort( 400, __error__=[u'Tiden du har søkt på er ikke tilgjengelig'] ) if status != "Denied": if self.is_conflict_blocked_time(resource, start_date, end_date, week_day, start_time, end_time): abort( 400, __error__=[u'Tiden du har søkt på er blokkert'] ) if status == "Granted" or status == "Denied" or (status == "Pending" and len(slots) == 0): application.status = status else: application.status = "Processing" application.message = application_message application.invoice_amount = invoice_amount application.to_be_invoiced = to_be_invoiced application.comment = data.get('comment') current_app.db_session.add(application) current_app.db_session.commit() current_app.db_session.refresh(application) document = '' if status == "Granted" or status == "Denied": document = send_email_application_processed(application) # Create erv code if invoice_amount is not None and status == "Granted": invoice_amount = int(invoice_amount) org_number = None if application.organisation is not None: organisation = get_organisation_from_web( application.organisation.uri) org_number = organisation.get('org_number', None) if org_number is None: person = get_person_from_web(application.person.uri) erv_code = erv_person(application, invoice_amount, person['national_identity_number']) else: erv_code = erv_organisation(application, invoice_amount, org_number) print 'erv: "{}"'.format(erv_code) # Skip sending mail for now # send_erv_code_mail("{},".format(erv_code)) application_dict = {} if application.get_type() == "single": application_dict = marshal(application, single_application_fields) elif application.get_type() == "repeating": # Authentication is not implemented for all resources yet, so we # skip creating sak/journalpost if no auth_token exists if status == 'Granted' and 'auth_token' in request.cookies: arkiver(application, document) application_dict = marshal(application, repeating_application_fields) # Include emails in response, if requested if data.get("include_emails", False): _, granted_message = render_email_template(application, "Granted") _, denied_message = render_email_template(application, "Denied") application_dict['emails'] = dict( granted_message=granted_message, denied_message=denied_message ) return application_dict
def they_can_manage_organisation_internal_notes(user, they): if user.get('is_superuser') or has_role(user, 'flod_saksbehandlere'): they.can(GET, 'OrganisationInternalNote') they.can(POST, 'OrganisationInternalNote') they.can(DELETE, 'OrganisationInternalNote')
def get(self): year = None if "year" in request.args: year = int(request.args.get('year')) week_number = None if "week" in request.args: week_number = int(request.args.get('week')) day = None if "day" in request.args: day = datetime.strptime(request.args.get('day'), '%Y-%m-%d') resource_uri = request.args.get('resource_uri') except_application = request.args.get('except') if not (year and week_number) and not day: abort(404) if "status" in request.args: statuses = [request.args["status"]] else: statuses = ["Pending", "Processing", "Granted"] resource = self.get_resource_with_id_or_uri(None, resource_uri) except_applications = [] if except_application: except_applications.append(except_application) single = self.get_slots( resource, except_applications, statuses, year, week_number, day ) repeating = self.get_repeating_slots( resource, except_applications, statuses, year, week_number, day ) strotimer = self.get_strotime_slots( resource, year, week_number, day ) slots = single + repeating + strotimer user = get_user(request.cookies) if user is not None and has_role(user, 'flod_saksbehandlere'): for slot in slots: applicant = self.get_applicant(slot) if applicant is not None: name, email = applicant slot['applicant_email'] = email slot['applicant_name'] = name return marshal(slots, week_exploded_slot_fields_applicant), 200 return marshal(slots, week_exploded_slot_fields), 200
def they_can_get_statistics(user, they): if user.get('is_superuser') or has_role(user, 'flod_brukere'): they.can(GET, 'ResourceStatistic') they.can(GET, 'OrganisationStatistic') they.can(GET, 'ExportReimbursement') they.can(GET, 'ExportOverview')
def post(self): data = request.get_json() is_arrangement = data.get("isArrangement", False) person = data.get('person', None) if not person or not person.get('uri', None): abort(400) person_uri = person["uri"] text = data["text"] facilitation = data["facilitation"] resource_uri = data["resource"]["uri"] resource = get_resource_for_uri(resource_uri) settings = SettingsResource().get() user = get_user(request.cookies) # Check that the resource allows the type of application if not settings["single_booking_allowed"] and not (has_role(user, 'flod_brukere') or has_role(user, 'flod_saksbehandlere')) or \ not resource.single_booking_allowed: abort(403, __error__=[u'Engangslån ikke tillatt']) organisation_data = data.get("organisation", None) if organisation_data: organisation_uri = organisation_data["uri"] organisation = get_organisation_for_uri(organisation_uri) else: organisation = None person = get_person_for_uri(person_uri) application = Application( person, organisation, text, facilitation, resource, amenities=data.get('amenities'), accessibility=data.get('accessibility'), equipment=data.get('equipment'), suitability=data.get('suitability'), facilitators=data.get('facilitators') ) application.is_arrangement = is_arrangement slots = [self.parse_slot_request(d) for d in data["slots"]] if not slots: abort(400, __error__=[u'Tidspunkt mangler']) for slot in slots: start_date = slot.start_time.date() end_date = slot.end_time.date() week_day = slot.start_time.isoweekday() start_time = slot.start_time.time() end_time = slot.end_time.time() self.validate_end_date_of_slot(settings["single_booking_enddate"], end_date.isoformat(), u'engangslån') self.validate_start_and_end_times(start_date, end_date, start_time, end_time) if not is_arrangement: if self.is_conflict_slot_time(resource, start_date, end_date, week_day, start_time, end_time) or \ self.is_conflict_rammetid(resource, start_date, end_date, week_day, start_time, end_time): abort( 400, __error__=[u'Tiden du har søkt på er ikke tilgjengelig'] ) if self.is_conflict_blocked_time(resource, start_date, end_date, week_day, start_time, end_time): abort( 400, __error__=[u'Tiden du har søkt på er blokkert'] ) application.request_single_slot(slot) current_app.db_session.add(application) current_app.db_session.commit() current_app.db_session.refresh(application) send_email_to_resource(application) send_email_to_applicant(application) return application, 201
def post(self): data = request.get_json() person = data.get('person', None) if not person or not person.get('uri', None): abort(400) person_uri = person["uri"] text = data["text"] facilitation = data['facilitation'] resource_uri = data["resource"]["uri"] resource = get_resource_for_uri(resource_uri) settings = SettingsResource().get() user = get_user(request.cookies) # Check that the resource allows the type of application if (resource.repeating_booking_allowed and not settings["repeating_booking_allowed"] and not has_role(user, 'flod_saksbehandlere')) or \ (not settings["repeating_booking_allowed"] and not (has_role(user, 'flod_brukere') or has_role(user, 'flod_saksbehandlere'))) or \ not resource.repeating_booking_allowed: abort(403, __error__=[u'Gjentakende lån ikke tillatt']) organisation_data = data.get("organisation", None) if organisation_data: organisation_uri = organisation_data["uri"] organisation = get_organisation_for_uri(organisation_uri) else: organisation = None if not organisation: abort( 403, __error__=[u'Du kan ikke søke gjentakende lån som privatperson'] ) person = get_person_for_uri(person_uri) application = Application( person, organisation, text, facilitation, resource, amenities=data.get('amenities'), accessibility=data.get('accessibility'), equipment=data.get('equipment'), suitability=data.get('suitability'), facilitators=data.get('facilitators') ) slots = None try: slots = [self.parse_slot_request(d) for d in data["slots"]] except BookingDomainException as e: abort(400, __error__=[e.message]) if not slots: abort(400, __error__=[u'Tidspunkt mangler']) for slot in slots: start_date = slot.start_date end_date = slot.end_date week_day = slot.week_day start_time = slot.start_time end_time = slot.end_time self.validate_end_date_of_slot(settings["repeating_booking_enddate"], end_date.isoformat(), u'fast lån') self.validate_start_and_end_times(start_date, end_date, start_time, end_time) if self.is_conflict_slot_time(resource, start_date, end_date, week_day, start_time, end_time) or \ self.is_conflict_rammetid(resource, start_date, end_date, week_day, start_time, end_time): abort( 400, __error__=[u'Tiden du har søkt på er ikke tilgjengelig'] ) if self.is_conflict_blocked_time(resource, start_date, end_date, week_day, start_time, end_time): abort( 400, __error__=[u'Tiden du har søkt på er blokkert'] ) application.request_repeating_slot(slot) current_app.db_session.add(application) current_app.db_session.commit() current_app.db_session.refresh(application) send_email_to_resource(application) return application, 201