def extra_select_and_values_for_model(instance,
job,
table,
model,
prefix=None):
if prefix:
prefix += '__'
else:
prefix = ''
perms = permissions(job.user, instance, model)
extra_select = {}
prefixed_names = []
dummy_instance = safe_get_model_class(model)()
for perm in (perm for perm in perms
if perm.permission_level >= FieldPermission.READ_ONLY):
field_name = perm.field_name
prefixed_name = prefix + field_name
if field_name.startswith('udf:'):
name = field_name[4:]
extra_select[prefixed_name] = "%s.udfs->'%s'" % (table, name)
else:
if not model_hasattr(dummy_instance, field_name):
# Exception will be raised downstream if you look for
# a field on a model that no longer exists but still
# has a stale permission record. Here we check for that
# case and don't include the field if it does not exist.
continue
prefixed_names.append(prefixed_name)
return (extra_select, prefixed_names)
def extra_select_and_values_for_model(
instance, job, table, model, prefix=None):
if prefix:
prefix += '__'
else:
prefix = ''
perms = permissions(job.user, instance, model)
extra_select = {}
prefixed_names = []
dummy_instance = safe_get_model_class(model)()
for perm in (perm for perm in perms
if perm.permission_level >= FieldPermission.READ_ONLY):
field_name = perm.field_name
prefixed_name = prefix + field_name
if field_name.startswith('udf:'):
name = field_name[4:]
extra_select[prefixed_name] = "%s.udfs->'%s'" % (table, name)
else:
if not model_hasattr(dummy_instance, field_name):
# Exception will be raised downstream if you look for
# a field on a model that no longer exists but still
# has a stale permission record. Here we check for that
# case and don't include the field if it does not exist.
continue
prefixed_names.append(prefixed_name)
return (extra_select, prefixed_names)
def get_user_permission(self,
user,
expectedCount,
model_name='Plot',
field_name='geom'):
perms = permissions(user, self.instance, model_name)
return self.get_permission(perms, field_name, expectedCount)
def test_empty_model_name(self):
perms = permissions(self.user, self.instance)
self.assertEqual(
len(perms),
FieldPermission.objects.filter(instance=self.instance,
role=self.user.get_role(
self.instance)).count())
def values_for_model(
instance, job, table, model,
select, select_params, prefix=None):
if prefix:
prefix += '__'
else:
prefix = ''
perms = permissions(job.user, instance, model)
prefixed_names = []
model_class = safe_get_model_class(model)
dummy_instance = model_class()
for perm in (perm for perm in perms
if perm.permission_level >= FieldPermission.READ_ONLY):
field_name = perm.field_name
prefixed_name = prefix + field_name
if field_name in getattr(model_class, 'collection_udf_settings', {}):
field_definition_id = None
for udfd in udf_defs(instance, model):
if udfd.iscollection and udfd.name == field_name[4:]:
field_definition_id = udfd.id
if field_definition_id is None:
continue
select[prefixed_name] = (
"""
WITH formatted_data AS (
SELECT concat('(', data, ')') as fdata
FROM %s
WHERE field_definition_id = %s and model_id = %s.id
)
SELECT array_to_string(array_agg(fdata), ', ', '*')
FROM formatted_data
"""
% (UserDefinedCollectionValue._meta.db_table,
field_definition_id, table))
elif field_name.startswith('udf:'):
name = field_name[4:]
select[prefixed_name] = "{0}.udfs->%s".format(table)
select_params.append(name)
else:
if not model_hasattr(dummy_instance, field_name):
# Exception will be raised downstream if you look for
# a field on a model that no longer exists but still
# has a stale permission record. Here we check for that
# case and don't include the field if it does not exist.
continue
prefixed_names.append(prefixed_name)
return prefixed_names
def _values_for_model(instance,
job,
table,
model,
select,
select_params,
prefix=None):
if prefix:
prefix += '__'
else:
prefix = ''
prefixed_names = []
model_class = safe_get_model_class(model)
dummy_instance = model_class()
for field_name in (perm.field_name
for perm in permissions(job.user, instance, model)
if perm.permission_level >= FieldPermission.READ_ONLY):
prefixed_name = prefix + field_name
if field_name.startswith('udf:'):
name = field_name[4:]
if name in model_class.collection_udf_settings.keys():
field_definition_id = None
for udfd in udf_defs(instance, model):
if udfd.iscollection and udfd.name == name:
field_definition_id = udfd.id
if field_definition_id is None:
continue
select[prefixed_name] = ("""
WITH formatted_data AS (
SELECT concat('(', data, ')') as fdata
FROM %s
WHERE field_definition_id = %s and model_id = %s.id
)
SELECT array_to_string(array_agg(fdata), ', ', '*')
FROM formatted_data
""" % (UserDefinedCollectionValue._meta.db_table,
field_definition_id, table))
else:
select[prefixed_name] = "{0}.udfs->%s".format(table)
select_params.append(name)
else:
if not model_hasattr(dummy_instance, field_name):
# Exception will be raised downstream if you look for
# a field on a model that no longer exists but still
# has a stale permission record. Here we check for that
# case and don't include the field if it does not exist.
continue
prefixed_names.append(prefixed_name)
return prefixed_names
def mask_unauthorized_fields(self, user):
perms = permissions(user, self.instance, self._model_name)
readable_fields = {perm.field_name for perm
in perms
if perm.allows_reads}
fields = set(self._previous_state.keys())
unreadable_fields = fields - readable_fields
for field_name in unreadable_fields:
self.apply_change(field_name, None)
self._has_been_masked = True
def get_pending_fields(self, user):
"""
Evaluates the permissions for the current user and collects
fields that inheriting subclasses will want to treat as
special pending_edit fields.
"""
perms = permissions(user, self.instance, self._model_name)
fields_to_audit = []
for perm in perms:
if ((perm.permission_level == FieldPermission.WRITE_WITH_AUDIT and
perm.field_name in self._updated_fields())):
fields_to_audit.append(perm.field_name)
return fields_to_audit
def save_with_user(self, user, *args, **kwargs):
updated_fields = self._updated_fields()
if self.pk is None:
audit_type = Audit.Type.Insert
else:
audit_type = Audit.Type.Update
field_perm = None
model = self.field_definition.model_type
field = 'udf:%s' % self.field_definition.name
perms = permissions(user, self.field_definition.instance,
model_name=model)
for perm in perms:
if perm.field_name == field and perm.allows_writes:
field_perm = perm
break
if field_perm is None:
raise AuthorizeException("Cannot save UDF field '%s.%s': "
"No sufficient permission found."
% (model, self.field_definition.name))
if field_perm.permission_level == FieldPermission.WRITE_WITH_AUDIT:
model_id = _reserve_model_id(UserDefinedCollectionValue)
pending = True
for field, (oldval, _) in updated_fields.iteritems():
self.apply_change(field, oldval)
else:
pending = False
super(UserDefinedCollectionValue, self).save_with_user(
user, *args, **kwargs)
model_id = self.pk
if audit_type == Audit.Type.Insert:
updated_fields['id'] = [None, model_id]
for field, (old_val, new_val) in updated_fields.iteritems():
Audit.objects.create(
current_value=new_val,
previous_value=old_val,
model='udf:%s' % self.field_definition.pk,
model_id=model_id,
field=field,
instance=self.field_definition.instance,
user=user,
action=audit_type,
requires_auth=pending)
def save_with_user(self, user, *args, **kwargs):
updated_fields = self._updated_fields()
if self.pk is None:
audit_type = Audit.Type.Insert
else:
audit_type = Audit.Type.Update
field_perm = None
model = self.field_definition.model_type
field = 'udf:%s' % self.field_definition.name
perms = permissions(user,
self.field_definition.instance,
model_name=model)
for perm in perms:
if perm.field_name == field and perm.allows_writes:
field_perm = perm
break
if field_perm is None:
raise AuthorizeException("Cannot save UDF field '%s.%s': "
"No sufficient permission found." %
(model, self.field_definition.name))
if field_perm.permission_level == FieldPermission.WRITE_WITH_AUDIT:
model_id = _reserve_model_id(UserDefinedCollectionValue)
pending = True
for field, (oldval, _) in updated_fields.iteritems():
self.apply_change(field, oldval)
else:
pending = False
super(UserDefinedCollectionValue,
self).save_with_user(user, *args, **kwargs)
model_id = self.pk
if audit_type == Audit.Type.Insert:
updated_fields['id'] = [None, model_id]
for field, (old_val, new_val) in updated_fields.iteritems():
Audit.objects.create(current_value=new_val,
previous_value=old_val,
model='udf:%s' % self.field_definition.pk,
model_id=model_id,
field=field,
instance=self.field_definition.instance,
user=user,
action=audit_type,
requires_auth=pending)
def _get_perms_set(self, user, direct_only=False):
if not self.instance:
raise AuthorizeException(trans(
"Cannot retrieve permissions for this object because "
"it does not have an instance associated with it."))
perms = permissions(user, self.instance, self._model_name)
if direct_only:
perm_set = {perm.field_name
for perm in perms
if perm.permission_level ==
FieldPermission.WRITE_DIRECTLY}
else:
perm_set = {perm.field_name for perm in perms
if perm.allows_writes}
return perm_set
def _verify_user_can_apply_audit(audit, user):
"""
Make sure that user has "write direct" permissions
for the given audit's fields.
If the model is a udf collection, verify the user has
write directly permission on the UDF
"""
# This comingling here isn't really great...
# However it allows us to have a pretty external interface in that
# UDF collections can have a single permission based on the original
# model, instead of having to assign a bunch of new ones.
from udf import UserDefinedFieldDefinition
if audit.model.startswith('udf:'):
udf = UserDefinedFieldDefinition.objects.get(pk=audit.model[4:])
field = 'udf:%s' % udf.name
model = udf.model_type
else:
field = audit.field
model = audit.model
perms = permissions(user, audit.instance, model)
foundperm = False
for perm in perms:
if perm.field_name == field:
if perm.permission_level == FieldPermission.WRITE_DIRECTLY:
foundperm = True
break
else:
raise AuthorizeException(
"User %s can't edit field %s on model %s" %
(user, field, model))
if not foundperm:
raise AuthorizeException(
"User %s can't edit field %s on model %s (No permissions found)" %
(user, field, model))
def extra_select_and_values_for_model(
instance, job, table, model, prefix=None):
if prefix:
prefix += '__'
else:
prefix = ''
perms = permissions(job.user, instance, model)
extra_select = {}
prefixed_names = []
for perm in perms:
field_name = perm.field_name
prefixed_name = prefix + field_name
if field_name.startswith('udf:'):
name = field_name[4:]
extra_select[prefixed_name] = "%s.udfs->'%s'" % (table, name)
prefixed_names.append(prefixed_name)
return (extra_select, prefixed_names)
def extra_select_and_values_for_model(
instance, job, table, model, prefix=None):
if prefix:
prefix += '__'
else:
prefix = ''
perms = permissions(job.user, instance, model)
extra_select = {}
prefixed_names = []
for perm in perms:
field_name = perm.field_name
prefixed_name = prefix + field_name
if field_name.startswith('udf:'):
name = field_name[4:]
extra_select[prefixed_name] = "%s.udfs->'%s'" % (table, name)
prefixed_names.append(prefixed_name)
return (extra_select, prefixed_names)
def _perms_for_user(self, user):
return permissions(user, self.instance, self._model_name)
def test_empty_model_name(self):
perms = permissions(self.user, self.instance)
self.assertEqual(len(perms), FieldPermission.objects.filter(
instance=self.instance, role=self.user.get_role(self.instance))
.count())
def test_empty_model_name(self):
perms = permissions(self.user, self.instance)
self.assertEqual(len(perms), 80)
def get_user_permission(self, user, expectedCount, model_name='Plot',
field_name='geom'):
perms = permissions(user, self.instance, model_name)
return self.get_permission(perms, field_name, expectedCount)
