def _check_can_read_data(data, user):
""" Check that the user can read a data.
Args:
data:
user:
Returns:
"""
# workspace case
if data.user_id != str(user.id):
# workspace is set
if hasattr(data, 'workspace') and data.workspace is not None:
# get list of accessible workspaces
accessible_workspaces = workspace_api.get_all_workspaces_with_read_access_by_user(
user)
# check that accessed data belongs to an accessible workspace
if data.workspace not in accessible_workspaces:
raise AccessControlError(
"The user doesn't have enough rights to access this " +
get_data_label() + ".")
# workspace is not set
else:
raise AccessControlError(
"The user doesn't have enough rights to access this " +
get_data_label() + ".")
def can_write_data_workspace(func, data, workspace, user):
""" Can user write data in workspace.
Args:
func:
data:
workspace:
user:
Returns:
"""
if user.is_superuser:
return func(data, workspace, user)
if workspace is not None:
if workspace_api.is_workspace_public(workspace):
has_perm_publish_data(user)
else:
_check_can_write_workspace(workspace, user)
check_can_write_data(data, user)
# if we can not unpublish data
if CAN_SET_PUBLIC_DATA_TO_PRIVATE is False:
# if data is in public workspace
if data.workspace is not None and workspace_api.is_workspace_public(data.workspace):
# if target workspace is private
if workspace is None or workspace_api.is_workspace_public(workspace) is False:
raise AccessControlError("The data can not be unpublished.")
return func(data, workspace, user)
def has_perm_publish_data(user):
""" Does the user have the permission to publish a data.
Args:
user
Returns
"""
publish_perm = permissions_api.get_by_codename(rights.publish_data)
if not user.has_perm(publish_perm.content_type.app_label + '.' + publish_perm.codename):
raise AccessControlError("The user doesn't have enough rights to publish this data.")
def _check_is_owner_workspace(workspace, user):
""" Check that user is the owner of the workspace.
Args:
workspace:
user:
Returns:
"""
if workspace.owner != str(user.id):
raise AccessControlError("The user does not have the permission. The user is not the owner of this workspace.")
def _check_can_write_workspace(workspace, user):
""" Check that user can write in the workspace.
Args:
workspace:
user:
Returns:
"""
accessible_workspaces = workspace_api.get_all_workspaces_with_write_access_by_user(user)
if workspace not in accessible_workspaces:
raise AccessControlError("The user does not have the permission to write into this workspace.")
def can_user_modify_template_version_manager(template_version_manager, user):
""" Check that user can modify the template version manager.
Args:
template_version_manager:
user:
Returns:
"""
if user.is_superuser is False and user.is_staff is False:
if template_version_manager.user != user.id:
raise AccessControlError(
"You don't have the permission to update this object.")
def has_perm_administration(func, *args, **kwargs):
""" Is the given user has administration rights.
Args:
func:
*args:
**kwargs:
Returns:
"""
try:
if args[0].is_superuser:
return func(*args, **kwargs)
except Exception:
pass
raise AccessControlError("The user doesn't have enough rights to access this data.")
def can_change_owner(func, data, new_user, user):
""" Can user change data's owner.
Args:
func:
data:
new_user:
user:
Returns:
"""
if user.is_superuser:
return func(data, new_user, user)
if data.user_id != str(user.id):
raise AccessControlError("The user doesn't have enough rights to access this data.")
return func(data, new_user, user)
def validate_id(self, id):
""" Validate id field
Args:
id:
Returns:
"""
request = self.context.get('request')
try:
blob_object = blob_api.get_by_id(id)
except DoesNotExist:
raise Http404
if request.user.is_superuser is False and str(request.user.id) != blob_object.user_id:
raise AccessControlError("You don't have the permission to delete this id: {0}".format(id))
return id
def _check_can_read_data_list(data_list, user):
""" Check that the user can read each data of the list.
Args:
data_list:
user:
Returns:
"""
if len(data_list) > 0:
# get list of accessible workspaces
accessible_workspaces = workspace_api.get_all_workspaces_with_read_access_by_user(user)
# check access is correct
for data in data_list:
# user is data owner
if data.user_id == str(user.id):
continue
# user is not owner or data not in accessible workspace
if data.workspace is None or data.workspace not in accessible_workspaces:
raise AccessControlError("The user doesn't have enough rights to access this data.")
def can_delete_workspace(func, workspace, user):
""" Can user delete a workspace.
Args:
func:
workspace:
user:
Returns:
"""
if user.is_superuser:
return func(workspace, user)
_check_is_owner_workspace(workspace, user)
if CAN_SET_PUBLIC_DATA_TO_PRIVATE is False:
if workspace.is_public:
raise AccessControlError("The workspace can not be deleted.")
return func(workspace, user)
def can_user_set_workspace_public(func, workspace, user):
""" Check if the user is the owner of the workspace.
Args:
func:
workspace:
user:
Returns:
"""
if user.is_superuser:
return func(workspace, user)
_check_is_owner_workspace(workspace, user)
publish_perm = permissions_api.get_by_codename(rights.publish_data)
if not user.has_perm(publish_perm.content_type.app_label + '.' + publish_perm.codename):
raise AccessControlError("You don't have enough rights to set public this workspace.")
return func(workspace, user)