def __user_and_group_permissions__():
#Querysets, se utiliza para hacer busquedas en cache
perms_user_list = [(perm.codename, perm.name) for perm in get_perms_for_model((User))]
perms_group_list = [(perm.codename, perm.name) for perm in get_perms_for_model(Group)]
perms = []
#se agrega a perms los permisos asociados a el usuario y al rol
perms.extend(perms_user_list)
perms.extend(perms_group_list)
return perms
def set_guardian_permissions(user=None, profile=None, *args, **kwargs):
if not user or not user.is_authenticated():
return
if profile:
for perm in get_perms_for_model(Profile):
assign_perm(perm.codename, user, profile)
for perm in get_perms_for_model(User)[1:]:
assign_perm(perm.codename, user, user)
def __user_and_group_permissions__():
"""
perimisos de grupos de usuarios.
:return: lista con los permisos que pueden asignarse a usuarios.
"""
perms_user_list = [(perm.codename, perm.name) for perm in get_perms_for_model(User)]
perms_group_list = [(perm.codename, perm.name) for perm in get_perms_for_model(Group)]
perms = []
perms.extend(perms_user_list)
perms.extend(perms_group_list)
return perms
def wrapper(request, *args, **kwargs):
success = False
user = request.user
# check if user has perm for Organization
# if 'organization_id' in kwargs.keys():
if perm in [p.codename for p in get_perms_for_model(Organization)]:
organization = Organization.objects.get(id=kwargs["organization_id"])
if user.has_perm(perm, organization):
success = True
else:
code = 1
# or, check if user has perm for Job
# elif 'job_id' in kwargs.keys():
if perm in [p.codename for p in get_perms_for_model(Job)]:
job = Job.objects.get(id=kwargs["job_id"])
if user.has_perm(perm, job):
success = True
else:
code = 2
# or, check if user has perm for JobRequest
# elif 'job_id' in kwargs.keys():
if perm in [p.codename for p in get_perms_for_model(JobRequest)]:
job = Job.objects.get(id=kwargs["job_id"])
jobrequest = JobRequest.objects.get(job_id=kwargs["job_id"], organization_id=kwargs["organization_id"])
if user.has_perm(perm, jobrequest):
success = True
else:
code = 3
# or, check if user has perm for User
# just check if user id is equal
elif "user_id" in kwargs.keys():
if request.user == User.objects.get(id=kwargs["user_id"]):
success = True
else:
code = 4
if success == True:
return func(request, *args, **kwargs)
else:
message = "You do not have access to this resource. Error {0}"
messages.add_message(request, messages.ERROR, message.format(code))
return render(request, "dbtest/confirm.html")
def set_object_permissions(sender, instance=None, created=False, **kwargs):
if created:
for perm in get_perms_for_model(UserProfile):
assign_perm(perm.codename, instance.user, instance)
if instance.created_by:
assign_perm(perm.codename, instance.created_by, instance)
def _update_perms(target, role, container):
''' Function to update the permissions of the 'target'(User or Group)
for a given container in correspondence to a given role.
role can take several values corresponding to the following permissions:
none - no permissions
Reader - 'view'
Contributor - 'view' + 'change'
Editor - 'view' + 'change' + 'delete'
Administrator - 'view' + 'change' + 'delete' + 'admin'
'''
perms = get_perms_for_model(Container)
l_perm = []
for i in range(len(perms)):
l_perm.append(perms[i].codename)
for permission in l_perm:
remove_perm(permission, target, container)
if role == 'none':
if target == Group.objects.get(name='public'):
container.public = False
container.save()
return
assign('view_container', target, container)
if role == 'Reader':
if target == Group.objects.get(name='public'):
container.public = True
container.save()
return
assign('change_container', target, container)
if role == 'Contributor':
return
assign('delete_container', target, container)
if role == 'Editor':
return
assign('admin_container', target, container)
def test_view_manage_group(self):
self._login_superuser()
url = reverse("admin:%s_%s_permissions_manage_group" % self.obj_info, args=[self.obj.pk, self.group.id])
response = self.client.get(url)
self.assertEqual(response.status_code, 200)
choices = set([c[0] for c in response.context["form"].fields["permissions"].choices])
self.assertEqual(set([p.codename for p in get_perms_for_model(self.obj)]), choices)
# Add some perms and check if changes were persisted
perms = ["change_%s" % self.obj_info[1], "delete_%s" % self.obj_info[1]]
data = {"permissions": perms}
response = self.client.post(url, data, follow=True)
self.assertEqual(len(response.redirect_chain), 1)
self.assertEqual(response.redirect_chain[0][1], 302)
self.assertEqual(set(get_perms(self.group, self.obj)), set(perms))
# Remove perm and check if change was persisted
perms = ["delete_%s" % self.obj_info[1]]
data = {"permissions": perms}
response = self.client.post(url, data, follow=True)
self.assertEqual(len(response.redirect_chain), 1)
self.assertEqual(response.redirect_chain[0][1], 302)
self.assertEqual(set(get_perms(self.group, self.obj)), set(perms))
def rm_org_perms(sender, instance=None, **kwargs):
perms = get_perms_for_model(apps.get_model('app_mgr', 'Organization'))
instance.org.admin_group.user_set.remove(instance.user)
instance.org.member_group.user_set.remove(instance.user)
for perm in perms:
remove_perm(perm.codename, instance.user, instance.org)
def create_owner_team_and_permissions(sender, instance, created, **kwargs):
"""
Signal handler that creates the Owner team and assigns group and user
permissions.
"""
if created:
team = Team.objects.create(
name=Team.OWNER_TEAM_NAME, organization=instance.user,
created_by=instance.created_by)
content_type = ContentType.objects.get(
app_label='api', model='organizationprofile')
permission, created = Permission.objects.get_or_create(
codename="is_org_owner", name="Organization Owner",
content_type=content_type)
team.permissions.add(permission)
instance.creator.groups.add(team)
for perm in get_perms_for_model(instance.__class__):
assign_perm(perm.codename, instance.user, instance)
if instance.creator:
assign_perm(perm.codename, instance.creator, instance)
if instance.created_by and instance.created_by != instance.creator:
assign_perm(perm.codename, instance.created_by, instance)
def assign_forum_permissions(request, id, gid):
if not request.user.is_superuser:
return HttpResponseForbidden()
obj = get_object_or_404(Forum, id=id)
group = get_object_or_404(Group, id=gid)
obj_permissions = get_perms_for_model(Forum).exclude(codename__in=["add_forum", "can_views_forums"])
ctype = ContentType.objects.get_for_model(obj)
perms = []
for group_perm in GroupObjectPermission.objects.filter(group=group, content_type=ctype, object_pk=obj.id):
perms.append(group_perm.permission)
# print perms
PermissionsForm = get_permissions_form(obj_permissions.select_related(), initial=perms)
if request.method == "POST":
form = PermissionsForm(request.POST)
if form.is_valid():
for perm in obj_permissions:
remove_perm(perm.codename, group, obj)
for perm in form.cleaned_data["perms"]:
assign(perm.codename, group, obj)
else:
form = PermissionsForm()
return render(request, "forum/frontend/edit_permissions.html", {"forum": obj, "group": group, "form": form})
def save(self, *args, **kwargs):
self._set_title()
old_id_string = self.id_string
self._set_id_string()
self._set_encrypted_field()
# check if we have an existing id_string,
# if so, the one must match but only if xform is NOT new
if self.pk and old_id_string and old_id_string != self.id_string:
raise XLSFormError(
_(u"Your updated form's id_string '%(new_id)s' must match "
"the existing forms' id_string '%(old_id)s'." %
{'new_id': self.id_string, 'old_id': old_id_string}))
if getattr(settings, 'STRICT', True) and \
not re.search(r"^[\w-]+$", self.id_string):
raise XLSFormError(_(u'In strict mode, the XForm ID must be a '
'valid slug and contain no spaces.'))
if not self.sms_id_string:
try:
# try to guess the form's wanted sms_id_string
# from it's json rep (from XLSForm)
# otherwise, use id_string to ensure uniqueness
self.sms_id_string = json.loads(self.json).get('sms_keyword',
self.id_string)
except:
self.sms_id_string = self.id_string
super(XForm, self).save(*args, **kwargs)
for perm in get_perms_for_model(XForm):
assign_perm(perm.codename, self.user, self)
def set_object_permissions(sender, instance=None, created=False, **kwargs):
if created:
for perm in get_perms_for_model(Team):
assign_perm(perm.codename, instance.organization, instance)
if instance.created_by:
assign_perm(perm.codename, instance.created_by, instance)
def user_project_permissions(request):
""" If a user is authenticated, this method returns a dictionary that
stores whether the user has a specific permission on a project. If a user
is not authenticated and the request is done by the anonymous user, the
permissions for the anonymous user are returned. Otherwise, this dictionary
will be empty.
"""
result = {}
if request.user.is_authenticated() or request.user.is_anonymous:
projectPerms = get_perms_for_model(Project)
permNames = [perm.codename for perm in projectPerms]
# Find out what permissions a user actually has for any of those projects.
projects = get_objects_and_perms_for_user(request.user, permNames,
Project, any_perm = True)
# Build the result data structure
for project_id in projects:
userPerms = projects[project_id]
# Iterate the codenames of available permissions and store
# whether the user has them for a specific project
for permName in permNames:
if permName not in result:
result[permName] = {}
result[permName][project_id] = permName in userPerms
# Obtain the list of groups of the user
groups = list(Group.objects.filter(user=request.user).values_list('name', flat=True))
else:
groups = []
return HttpResponse(json.dumps((result, groups)))
def user_project_permissions(request):
""" If a user is authenticated, this method returns a dictionary that
stores whether the user has a specific permission on a project. If a user
is not authenticated, the request is done by Django's anonymous user, which
is different from Guardian's anonymous user. In this case, no permissions
are returned, because Django's anonymous user does not have a user profile.
A middleware should make sure Guardian's anonymous user is used for
anonymous requests, because it reports as authenticated and a profile will
be returned.
"""
permissions = {}
if request.user.is_authenticated:
projectPerms = get_perms_for_model(Project)
permNames = [perm.codename for perm in projectPerms]
# Find out what permissions a user actually has for any of those projects.
projects = get_objects_and_perms_for_user(request.user, permNames,
Project, any_perm = True)
# Build the result data structure
for project_id in projects:
userPerms = projects[project_id]
# Iterate the codenames of available permissions and store
# whether the user has them for a specific project
for permName in permNames:
perm_projects = permissions.get(permName)
if not perm_projects:
perm_projects = []
permissions[permName] = perm_projects
if permName in userPerms:
perm_projects.append(project_id)
# Obtain the list of groups of the user
groups = list(Group.objects.filter(user=request.user).values_list('name', flat=True))
else:
groups = []
return JsonResponse((permissions, groups), safe=False)
def formfield_for_dbfield(self, db_field, **kwargs):
if db_field.name == 'permission':
perm_choices = get_perms_for_model(self.parent_model)
kwargs['queryset'] = perm_choices
kwargs.pop('request', None)
return db_field.formfield(**kwargs)
return super(BasePermissionInline, self).formfield_for_dbfield(db_field, **kwargs)
def project_post_save(sender, instance, created, **kwargs):
"""
Automatically assigns all permissions to the owner. If the owner changes
it's up to the user/developer to remove the previous owner's permissions.
"""
for perm in get_perms_for_model(sender).all():
assign_perm(perm.codename, instance.owner, instance)
def assign_topic_permissions(request, id, gid):
if not request.user.is_superuser:
return HttpResponseForbidden()
obj = get_object_or_404(Topic, id=id)
group = get_object_or_404(Group, id=gid)
obj_permissions = get_perms_for_model(Topic).exclude(codename__in=['add_topic', ])
ctype = ContentType.objects.get_for_model(obj)
perms = []
for group_perm in GroupObjectPermission.objects.filter(group=group,content_type=ctype, object_pk=obj.id):
perms.append(group_perm.permission)
PermissionsForm = get_permissions_form(obj_permissions.select_related(), initial=perms)
if request.method == 'POST':
form = PermissionsForm(request.POST)
if form.is_valid():
for perm in obj_permissions:
remove_perm(perm.codename, group, obj)
for perm in form.cleaned_data['perms']:
assign(perm.codename, group, obj )
else:
form = PermissionsForm()
return render(request, 'forum/frontend/edit_topic_permissions.html', {
'topic': obj,
'group': group,
'form':form,
})
def get_model_perm(user, model, perm_prefix='access_'):
group_permissions = user.groups.first().permissions.all()
package, __ = model.__module__.split('.')
for perm in get_perms_for_model(model):
if perm_prefix in perm.codename and perm in group_permissions:
return package + '.' + perm.codename
return None
def get_obj_perms_field_choices(self):
"""
Returns choices for object permissions management field. Default:
list of tuples ``(codename, name)`` for each ``Permission`` instance
for the managed object.
"""
choices = [(p.codename, p.name) for p in get_perms_for_model(self.obj)]
return choices
def setUpTestData(cls):
cls.user = mommy.make(UserProfile)
cls.group = mommy.make(Group, make_m2m=True)
for permission in get_perms_for_model(InformationDocument):
permission_name = "{}.{}".format(permission.content_type.app_label, permission.codename)
assign_perm(permission_name, cls.group)
cls.group.save()
mommy.make(InformationDocument)
def set_api_permissions_for_user(user):
models = [
UserProfile, XForm, MergedXForm, Project, Team, OrganizationProfile,
Note
]
for model in models:
for perm in get_perms_for_model(model):
assign_perm('%s.%s' % (perm.content_type.app_label, perm.codename),
user)
def get_obj_perms_field_choices(self):
"""
Returns choices for object permissions management field. Default:
list of tuples ``(codename, name)`` for each ``Permission`` instance
for the managed object.
"""
choices = []
for p in shortcuts.get_perms_for_model(self.model):
if not p.codename.startswith("add_") and not p.codename.startswith("delete_"):
choices.append((p.codename, p.codename))
return choices
def test_get_perms_for_model(self):
self.assertEqual(get_perms_for_model(self.user).count(), 3)
self.assertTrue(list(get_perms_for_model(self.user)) == list(get_perms_for_model(User)))
self.assertEqual(get_perms_for_model(Permission).count(), 3)
model_str = "contenttypes.ContentType"
self.assertEqual(
sorted(get_perms_for_model(model_str).values_list()), sorted(get_perms_for_model(ContentType).values_list())
)
obj = ContentType()
self.assertEqual(
sorted(get_perms_for_model(model_str).values_list()), sorted(get_perms_for_model(obj).values_list())
)
def get_objects_and_perms_for_user(user, codenames, klass, use_groups=True, any_perm=False):
""" Similar to what guardian's get_objects_for_user method does,
this method return a dictionary of object IDs (!) of model klass
objects with the permissions the user has on them associated.
These permissions may result from explicit user permissions or
implicit group ones. Parts of the source code are takes from
django-guardian. Note, that there an object list is returned. In
contrast this method returns object IDs and the permissions on
the actual objects.
"""
# Get QuerySet on and ContentType of the model
queryset = _get_queryset(klass)
ctype = ContentType.objects.get_for_model(queryset.model)
# A super user has all permissions available on all the objects
# of a model.
if user.is_superuser:
# Get all permissions for the model
perms = get_perms_for_model(klass)
permNames = set(perm.codename for perm in perms)
pk_dict = {}
for p in queryset:
pk_dict[p.id] = permNames
return pk_dict
# Extract a list of tuples that contain an object's primary
# key and a permission codename that the user has on them.
user_obj_perms = UserObjectPermission.objects\
.filter(user=user)\
.filter(permission__content_type=ctype)\
.filter(permission__codename__in=codenames)\
.values_list('object_pk', 'permission__codename')
data = list(user_obj_perms)
if use_groups:
groups_obj_perms = GroupObjectPermission.objects\
.filter(group__user=user)\
.filter(permission__content_type=ctype)\
.filter(permission__codename__in=codenames)\
.values_list('object_pk', 'permission__codename')
data += list(groups_obj_perms)
# sorting/grouping by pk (first in result tuple)
keyfunc = lambda t: int(t[0])
data = sorted(data, key=keyfunc)
# Create the result dictionary, associating one object id
# with a set of permissions the user has for it.
pk_dict = {}
for pk, group in groupby(data, keyfunc):
obj_codenames = set((e[1] for e in group))
if any_perm or codenames.issubset(obj_codenames):
pk_dict[pk] = obj_codenames
return pk_dict
def setUp(self):
self.user = UserProfile.objects.create_user("testuser")
self.user.save()
self.group = Group.objects.create(name="test_group")
for permission in get_perms_for_model(InformationDocument):
permission_name = "{}.{}".format(permission.content_type.app_label, permission.codename)
assign_perm(permission_name, self.group)
self.group.save()
document = InformationDocument(title="title", text="text", author=self.user)
document.save()
def test_get_perms_for_model(self):
self.assertEqual(get_perms_for_model(self.user).count(), 3)
self.assertTrue(list(get_perms_for_model(self.user)) ==
list(get_perms_for_model(User)))
self.assertEqual(get_perms_for_model(Permission).count(), 3)
model_str = 'guardian.Keycard'
self.assertEqual(
sorted(get_perms_for_model(model_str).values_list()),
sorted(get_perms_for_model(Keycard).values_list()))
key = Keycard()
self.assertEqual(
sorted(get_perms_for_model(model_str).values_list()),
sorted(get_perms_for_model(key).values_list()))
def set_object_permissions(sender, instance=None, created=False, **kwargs):
if created:
for perm in get_perms_for_model(Team):
assign_perm(perm.codename, instance.organization, instance)
organization = instance.organization.profile
if instance.created_by:
assign_perm(perm.codename, instance.created_by, instance)
if hasattr(organization, 'creator') and \
organization.creator != instance.created_by:
assign_perm(perm.codename, organization.creator, instance)
if organization.created_by != instance.created_by:
assign_perm(perm.codename, organization.created_by, instance)
def get_elements_with_perms_cls(element, cls, attach_perms=False):
""" This is a slightly adapted version of guardians
group retrieval. It doesn't need an object instance.
"""
ctype = ContentType.objects.get_for_model(cls)
if not attach_perms:
return element.objects.all()
else:
elements = {}
for elem in get_elements_with_perms_cls(element, cls):
if not elem in elements:
elements[elem] = get_perms_for_model(cls)
return elements
def assign_perm(self, team, org):
for perm in get_perms_for_model(Team):
org = org.user \
if isinstance(org, OrganizationProfile) else org
assign_perm(perm.codename, org, team)
if team.created_by:
assign_perm(perm.codename, team.created_by, team)
if hasattr(org.profile, 'creator') and \
org.profile.creator != team.created_by:
assign_perm(perm.codename, org.profile.creator, team)
if org.profile.created_by != team.created_by:
assign_perm(perm.codename, org.profile.created_by, team)
def permission_callback(sender, instance, created, *args, **kwargs): """ callback that assigns default permissions to the saved object """ if sender not in Document.__subclasses__() or not created: return permissions = get_perms_for_model(instance) groups = Group.objects.all() for group in groups: for permission in group.permissions.all(): if permission in permissions: assign_perm(permission.codename, group, instance)
class ItemPermissionSerializer(serializers.Serializer):
permission = serializers.ChoiceField(choices=[(perm.codename, perm.name) for perm in get_perms_for_model(TaskItem)])
list_member = serializers.IntegerField(required=True)
def validate_list_member(self, value):
task_list = self.context['task_list']
try:
return task_list.members.get(pk=value)
except ObjectDoesNotExist:
raise serializers.ValidationError("User not a member of list")
def create(self, validated_data):
item = validated_data.get('item')
list_member = validated_data.get('list_member')
added_permission = validated_data.get('permission')
assigned_perm = assign_perm(perm=added_permission, user_or_group=list_member, obj=item)
return assigned_perm
def get(self, request):
"""Return a list of permissions
Get the list of the permissions for a group on a resource. These determine the access for the users
in the group on the resource
Args:
request: Django Rest framework request
Returns:
List of permissions
"""
try:
obj_list = []
group = request.query_params.get('group', None)
collection = request.query_params.get('collection', None)
experiment = request.query_params.get('experiment', None)
channel = request.query_params.get('channel', None)
# get permission sets for models
col_perms = [
perm.codename for perm in get_perms_for_model(Collection)
]
exp_perms = [
perm.codename for perm in get_perms_for_model(Experiment)
]
channel_perms = [
perm.codename for perm in get_perms_for_model(Channel)
]
resource_object = self.get_object(collection, experiment, channel)
if group and resource_object:
group = Group.objects.get(name=group)
resource_type = resource_object[1]
# filtering on both group and resource
resource = resource_object[0]
perms = get_perms(group, resource)
if len(perms) == 0:
# Nothing to return
data = {'permission-sets': []}
return Response(data, status=status.HTTP_200_OK)
if resource_type == 'collection':
obj = {
'group': group.name,
'collection': resource.name,
'permissions': perms
}
obj_list.append(obj)
data = {'permission-sets': obj_list}
elif resource_type == 'experiment':
obj = {
'group': group.name,
'collection': resource.collection.name,
'experiment': resource.name,
'permissions': perms
}
obj_list.append(obj)
data = {'permission-sets': obj_list}
else:
obj = {
'group': group.name,
'collection': resource.experiment.collection.name,
'experiment': resource.experiment.name,
'channel': resource.name,
'permissions': perms
}
obj_list.append(obj)
data = {'permission-sets': obj_list}
elif resource_object and not group:
# filtering on resource
resource = resource_object[0]
resource_type = resource_object[1]
list_member_groups = request.user.groups.all()
for group in list_member_groups:
perms = get_perms(group, resource)
if resource_type == 'collection' and len(perms) > 0:
obj = {
'group': group.name,
'collection': resource.name,
'permissions': perms
}
obj_list.append(obj)
elif resource_type == 'experiment' and len(perms) > 0:
obj = {
'group': group.name,
'collection': resource.collection.name,
'experiment': resource.name,
'permissions': perms
}
obj_list.append(obj)
elif resource_type == 'channel' and len(perms) > 0:
obj = {
'group': group.name,
'collection': resource.experiment.collection.name,
'experiment': resource.experiment.name,
'channel': resource.name,
'permissions': perms
}
obj_list.append(obj)
data = {'permission-sets': obj_list}
elif group and not resource_object:
# filtering on group
group = Group.objects.get(name=group)
col_list = get_objects_for_group(group,
perms=col_perms,
klass=Collection,
any_perm=True)
for col in col_list:
col_perms = get_perms(group, col)
obj = {
'group': group.name,
'collection': col.name,
'permissions': col_perms
}
obj_list.append(obj)
exp_list = get_objects_for_group(group,
perms=exp_perms,
klass=Experiment,
any_perm=True)
for exp in exp_list:
exp_perms = get_perms(group, exp)
obj_list.append({
'group': group.name,
'collection': exp.collection.name,
'experiment': exp.name,
'permissions': exp_perms
})
ch_list = get_objects_for_group(group,
perms=channel_perms,
klass=Channel,
any_perm=True)
for channel in ch_list:
channel_perms = get_perms(group, channel)
obj_list.append({
'group':
group.name,
'collection':
channel.experiment.collection.name,
'experiment':
channel.experiment.name,
'channel':
channel.name,
'permissions':
channel_perms
})
data = {'permission-sets': obj_list}
else:
# no filtering
list_member_groups = request.user.groups.all()
for group in list_member_groups:
col_list = get_objects_for_group(group,
perms=col_perms,
klass=Collection,
any_perm=True)
for col in col_list:
col_perms = get_perms(group, col)
obj = {
'group': group.name,
'collection': col.name,
'permissions': col_perms
}
obj_list.append(obj)
exp_list = get_objects_for_group(group,
perms=exp_perms,
klass=Experiment,
any_perm=True)
for exp in exp_list:
exp_perms = get_perms(group, exp)
obj_list.append({
'group': group.name,
'collection': exp.collection.name,
'experiment': exp.name,
'permissions': col_perms
})
ch_list = get_objects_for_group(group,
perms=channel_perms,
klass=Channel,
any_perm=True)
for channel in ch_list:
channel_perms = get_perms(group, channel)
obj_list.append({
'group':
group.name,
'collection':
channel.experiment.collection.name,
'experiment':
channel.experiment.name,
'channel':
channel.name,
'permissions':
col_perms
})
data = {'permission-sets': obj_list}
return Response(data, status=status.HTTP_200_OK)
except Group.DoesNotExist:
return BossGroupNotFoundError(group)
except Permission.DoesNotExist:
return BossHTTPError(
"Invalid permissions in post".format(
request.data['permissions']),
ErrorCodes.UNRECOGNIZED_PERMISSION)
except BossError as err:
return err.to_http()
def user_permitted_tree(user):
"""Generate a dictionary of the representing a folder tree composed of
the elements the user is allowed to acccess.
"""
# Init
user_tree = {}
# Dynamically collect permission to avoid hardcoding
# Note: Any permission to an element is the same as read permission so
# they are all included.
file_perm_list = [
f'data_driven_acquisition.{perm}' for perm in get_perms_for_model(
'data_driven_acquisition.File').values_list('codename', flat=True)
]
folder_perm_list = [
f'data_driven_acquisition.{perm}'
for perm in get_perms_for_model('data_driven_acquisition.Folder').
values_list('codename', flat=True)
]
# Collect all permistted elements
permitted_folders = get_objects_for_user(user,
folder_perm_list,
any_perm=True).all()
permitted_files = get_objects_for_user(user, file_perm_list,
any_perm=True).all()
# Add all permitted folders to the user tree with their content and parents.
for folder_obj in permitted_folders:
# Get the folder content as tree
tree = get_folder_tree(folder_obj)
# Try to place the tree in the user tree
if not place_folder_in_tree(user_tree, folder_obj, tree):
# The parent is not in the user tree.
# Cresting the parent folder at root level and then completing the
# climb to the package level, mergin as needed.
user_tree[folder_obj] = tree
user_tree = climb_to_package(user_tree, folder_obj)
# Add all permitted files to the user tree with theirs parents.
for file_obj in permitted_files:
# Add to user tree iof the parent folder is already there.
if not place_file_in_tree(user_tree, file_obj):
# Cold not find the parent folder in the tree.
# Creating a base tree with the parent folder
# the file at root level and the climbing up to the Package
# Merging when required
tree = {
"files": [
file_obj,
]
}
user_tree[file_obj.parent] = tree
user_tree = climb_to_package(user_tree, file_obj.parent)
return user_tree
def get_editable_perms():
editable_perms = get_config_value('EDITABLE_PERMISSIONS')
perms = [(p.codename, p.name) for p in get_perms_for_model(Project)
if p.codename in editable_perms]
perms.sort(key=lambda pair: pair[0])
return perms
def get_permissions(self):
"""
Return a list of permissions related with this object
"""
return get_perms_for_model(self)
def set_api_permissions_for_user(user):
models = [UserProfile, XForm, Project, Team, OrganizationProfile, Note]
for model in models:
for perm in get_perms_for_model(model):
assign_perm('%s.%s' % (perm.content_type.app_label, perm.codename),
user)
def get(self, request, group_name=None):
"""
Get all groups
Args:
request: Django rest framework request
group_name: Group name from the request
Returns:
Group if the group exists
"""
if group_name is not None:
try:
group = Group.objects.get(name=group_name)
bgroup = BossGroup.objects.get(group=group)
data = {"name": group.name, "owner": bgroup.creator.username}
resources = []
# get permission sets for models
col_perms = [
perm.codename for perm in get_perms_for_model(Collection)
]
exp_perms = [
perm.codename for perm in get_perms_for_model(Experiment)
]
channel_perms = [
perm.codename for perm in get_perms_for_model(Channel)
]
# get objects for the group
col_list = get_objects_for_group(group,
perms=col_perms,
klass=Collection,
any_perm=True)
exp_list = get_objects_for_group(group,
perms=exp_perms,
klass=Experiment,
any_perm=True)
ch_list = get_objects_for_group(group,
perms=channel_perms,
klass=Channel,
any_perm=True)
for col in col_list:
obj = {'collection': col.name}
resources.append(obj)
for exp in exp_list:
obj = {
'collection': exp.collection.name,
'experiment': exp.name
}
resources.append(obj)
for ch in ch_list:
obj = {
'collection': ch.experiment.collection.name,
'experiment': ch.experiment.name,
'channel': ch.name
}
resources.append(obj)
data['resources'] = resources
return Response(data, status=200)
except Group.DoesNotExist:
return BossGroupNotFoundError(group_name)
else:
# Get all the groups that the logged in user is a member of
list_member_groups = request.user.groups.values_list('name',
flat=True)
member_groups = [name for name in list_member_groups]
# Get all groups that the user has maintainer permissions on
group_perms = [
perm.codename for perm in get_perms_for_model(BossGroup)
]
list_maintainer_groups = get_objects_for_user(request.user,
group_perms,
klass=BossGroup,
any_perm=True)
maintainer_groups = [
bgroup.group.name for bgroup in list_maintainer_groups
]
if 'filter' in request.query_params and request.query_params[
'filter'] == 'member':
data = {'groups': member_groups}
return Response(data, status=200)
elif 'filter' in request.query_params and request.query_params[
'filter'] == 'maintainer':
data = {'groups': maintainer_groups}
return Response(data, status=200)
elif 'filter' not in request.query_params:
all_groups = list(set(member_groups).union(maintainer_groups))
data = {'groups': all_groups}
else:
return BossHTTPError(
'Unrecogizes value {} in filter. Valid parameters are member or maintainer.',
ErrorCodes.UNABLE_TO_VALIDATE)
return Response(data, status=200)
def add_event_permissions(group):
perms = get_perms_for_model(Event)
for perm in perms:
assign_perm(perm, group)
def _assign_organization_team_perms(organization, user):
owners_team = get_organization_owners_team(organization.profile)
members_team = get_organization_members_team(organization.profile)
for perm in get_perms_for_model(Team):
assign_perm(perm.codename, user, owners_team)
assign_perm(perm.codename, user, members_team)
def __init__(self, request_user, editing_user, organization=None, league=None, *args, **kwargs):
self.organization = organization # current organization we are editing
self.league = league # league we are editing if on non-org-admin page
self.request_user = request_user # user requesting this page
self.editing_user = editing_user # user we are editing
self.regex = re.compile('^(org|league)(\d+)\_([A-Za-z0-9_]+)$')
self.helper = FormHelper()
super(PermissionsForm, self).__init__(*args, **kwargs)
if not self.organization and not self.league:
raise ValidationError("Both organization and league cannot be empty.")
if not self.organization:
self.organization = self.league.organization
# If leagues is left blank, we assume we are probably wanting to grab
# from all the leagues under the specified organization. The way this is
# setup could be confusing, I guess if you want to REALLY use it wrong.
# if not self.league:
# pass
leagues = None
# First, check if the current editing user has priviliges to edit
# users is this organization.
if self.request_user.has_perm("league:org_admin", self.organization):
user_organization_perms = get_user_perms(self.editing_user, organization)
self.organization_permissions = []
# Get available permissions for both organizaiton and league models
for permission in get_perms_for_model(Organization):
if permission.codename not in settings.RINK_PERMISSIONS_IGNORE:
self.organization_permissions.append(permission)
# Dynamically create inputs for each organization and league permissions
for permission in self.organization_permissions:
initial = False
if permission.codename in user_organization_perms:
initial = True
self.fields["{}{}_{}".format("org", organization.pk, permission.codename)] = forms.BooleanField(
label="{} - {}".format(organization, permission.name),
required=False,
initial=initial,
)
# Since we are a super admin, use all the leagues in our current org
leagues = League.objects.filter(organization=organization)
# Next, if we are a user who only has access to a league (not an organization)
# only allow them to change permissions for that league.
elif self.league and self.request_user.has_perm("league:league_admin", self.league):
leagues = League.objects.filter(pk=self.league.pk)
# Apparently you are not any kind of admin. Bye!
else:
raise PermissionDenied("You don't seem to be an admin of an organization or league. #88")
self.league_permissions = []
for permission in get_perms_for_model(League):
if permission.codename not in settings.RINK_PERMISSIONS_IGNORE:
self.league_permissions.append(permission)
for league in leagues:
user_league_permissions = get_user_perms(self.editing_user, league)
for permission in self.league_permissions:
initial = False
if permission.codename in user_league_permissions:
initial = True
self.fields["{}{}_{}".format("league", league.pk, permission.codename)] = forms.BooleanField(
label="{} - {}".format(league, permission.name),
required=False,
initial=initial,
)
self.helper.add_input(Submit('submit', 'Submit'))
def set_object_permissions(sender, instance=None, created=False, **kwargs):
if created:
for perm in get_perms_for_model(XForm):
assign_perm(perm.codename, instance.user, instance)
def fork(request: HttpRequest, project_id) -> JsonResponse:
"""Attempt to create a new project based on the passed in project ID.
---
parameters:
- name: name
description: Name of new project
required: true
type: string
- name: description
description: Description of new project
required: false
type: string
- name: copy_volumes
description: Whether volumes will be copied to the new project
required: false
type: boolean
defaultValue: false
- name: project_token
description: Whether or not a new project token should be generated
required: false
type: boolean
defaultValue: false
- name: add_to_favorites
description: Whether or not the new project is marked as a favorite
required: false
type: boolean
defaultValue: true
"""
name = request.POST.get('name')
if not name:
raise ValueError('Need new project name')
description = request.POST.get('description')
copy_volumes = get_request_bool(request.POST, 'copy_volumes', False)
create_project_token = get_request_bool(request.POST, 'project_token',
False)
project_token_approval_needed = get_request_bool(
request.POST, 'project_token_approval_needed', False)
project_token_default_perms = get_request_list(
request.POST, 'project_token_default_permissions', [])
add_to_favorites = get_request_bool(request.POST, 'add_to_favorites', True)
current_p = get_object_or_404(Project, pk=project_id)
new_p = get_object_or_404(Project, pk=project_id)
new_p.id = None
new_p.title = name
new_p.comment = description
new_p.save()
# Copy all project-stack links
ps_links = ProjectStack.objects.filter(project=current_p)
for ps in ps_links:
ps.id = None
ps.project = new_p
ps.save()
# Assign read/write/import permissions for new fork
assign_perm('can_browse', request.user, new_p)
assign_perm('can_annotate', request.user, new_p)
assign_perm('can_import', request.user, new_p)
assign_perm('can_fork', request.user, new_p)
assign_perm('can_administer', request.user, new_p)
assign_perm('delete_project', request.user, new_p)
# Creat basic classes and relations
validate_project_setup(new_p.id, request.user.id, fix=True)
# If the source project is a tracing project, make the clone as well one.
# A local import is used here to avoid a high potential for circular imports.
from catmaid.control.tracing import check_tracing_setup, setup_tracing
if check_tracing_setup(project_id):
setup_tracing(new_p.id)
if copy_volumes:
cursor = connection.cursor()
cursor.execute(
"""
INSERT INTO catmaid_volume (user_id, project_id, creation_time,
edition_time, editor_id, name, comment, geometry, area,
volume, watertight, meta_computed)
SELECT user_id, %(new_project_id)s, creation_time, edition_time,
editor_id, name, comment, geometry, area, volume, watertight,
meta_computed
FROM catmaid_volume
WHERE project_id = %(project_id)s;
""", {
'project_id': project_id,
'new_project_id': new_p.id
})
project_token_str = None
if create_project_token:
allowed_permissions = set(
get_perms_for_model(Project).values_list('codename', flat=True))
unknown_permissions = set(
project_token_default_perms) - allowed_permissions
if unknown_permissions:
raise ValueError(
f'Unknown permissions: {", ".join(unknown_permissions)}')
project_token = ProjectToken.objects.create(
**{
'user_id': request.user.id,
'project_id': new_p.id,
'name': "",
'needs_approval': project_token_approval_needed,
'default_permissions': project_token_default_perms,
})
project_token.name = f'Project token #{project_token.id}'
project_token.save()
project_token_str = project_token.token
if add_to_favorites:
FavoriteProject.objects.create(**{
'project_id': new_p.id,
'user_id': request.user.id,
})
return JsonResponse({
'new_project_id': new_p.id,
'n_copied_stack_links': len(ps_links),
'project_token': project_token_str,
})
