def _authorized_to_read(effective_principals, permissions):
"""Return True if the passed request is authorized to read the annotation.
If the annotation belongs to a private group, this will return False if the
authenticated user isn't a member of that group.
"""
read_permissions = permissions.get('read', [])
read_principals = translate_annotation_principals(read_permissions)
if set(read_principals).intersection(effective_principals):
return True
return False
def _authorized_to_read(request, permissions):
"""Return True if the passed request is authorized to read the annotation.
If the annotation belongs to a private group, this will return False if the
authenticated user isn't a member of that group.
"""
read_permissions = permissions.get('read', [])
read_principals = translate_annotation_principals(read_permissions)
if set(read_principals).intersection(request.effective_principals):
return True
return False
def generate_notifications(request, annotation, action):
# Only send notifications when new annotations are created
if action != 'create':
return
# If the annotation doesn't have a parent, we can't find its parent, or we
# have no idea who the author of the parent is, then we can't send a
# notification email.
parent_id = annotation.parent_id
if parent_id is None:
return
parent = storage.fetch_annotation(request, parent_id)
if parent is None or 'user' not in parent:
return
# We don't send replies to the author of the parent unless they're going to
# be able to read it. That means there must be some overlap between the set
# of effective principals of the parent's author, and the read permissions
# of the reply.
child_read_permissions = annotation.get('permissions', {}).get('read', [])
parent_principals = auth.effective_principals(parent['user'], request)
read_principals = translate_annotation_principals(child_read_permissions)
if not set(parent_principals).intersection(read_principals):
return
# Store the parent values as additional data
data = {
'parent': parent
}
subscriptions = Subscriptions.get_active_subscriptions_for_a_type(
types.REPLY_TYPE)
for subscription in subscriptions:
data['subscription'] = subscription.__json__(request)
# Validate annotation
if check_conditions(annotation, data):
try:
subject, text, html, recipients = render_reply_notification(
request,
annotation,
parent)
yield subject, text, html, recipients
# ToDo: proper exception handling here
except TemplateRenderException:
log.exception('Failed to render subscription'
' template %s', subscription)
except:
log.exception('Unknown error when trying to render'
' subscription template %s', subscription)
def generate_notifications(request, annotation, action):
# Only send notifications when new annotations are created
if action != 'create':
return
# If the annotation doesn't have a parent, we can't find its parent, or we
# have no idea who the author of the parent is, then we can't send a
# notification email.
parent_id = annotation.parent_id
if parent_id is None:
return
parent = storage.fetch_annotation(request, parent_id)
if parent is None or 'user' not in parent:
return
# We don't send replies to the author of the parent unless they're going to
# be able to read it. That means there must be some overlap between the set
# of effective principals of the parent's author, and the read permissions
# of the reply.
child_read_permissions = annotation.get('permissions', {}).get('read', [])
parent_principals = auth.effective_principals(parent['user'], request)
read_principals = translate_annotation_principals(child_read_permissions)
if not set(parent_principals).intersection(read_principals):
return
# Store the parent values as additional data
data = {
'parent': parent
}
subscriptions = Subscriptions.get_active_subscriptions_for_a_type(
types.REPLY_TYPE)
for subscription in subscriptions:
data['subscription'] = subscription.__json__(request)
# Validate annotation
if check_conditions(annotation, data):
try:
subject, text, html, recipients = render_reply_notification(
request,
annotation,
parent)
yield subject, text, html, recipients
# ToDo: proper exception handling here
except TemplateRenderException:
log.exception('Failed to render subscription'
' template %s', subscription)
except:
log.exception('Unknown error when trying to render'
' subscription template %s', subscription)
def _authorized_to_read(request, annotation):
"""Return True if the passed request is authorized to read the annotation.
If the annotation belongs to a private group, this will return False if the
authenticated user isn't a member of that group.
"""
# TODO: remove this when we've diagnosed this issue
if ('permissions' not in annotation or
'read' not in annotation['permissions']):
request.sentry.captureMessage(
'streamer received annotation lacking valid permissions',
level='warn',
extra={
'id': annotation['id'],
'permissions': json.dumps(annotation.get('permissions')),
})
read_permissions = annotation.get('permissions', {}).get('read', [])
read_principals = translate_annotation_principals(read_permissions)
if set(read_principals).intersection(request.effective_principals):
return True
return False
def _authorized_to_read(request, annotation):
"""Return True if the passed request is authorized to read the annotation.
If the annotation belongs to a private group, this will return False if the
authenticated user isn't a member of that group.
"""
# TODO: remove this when we've diagnosed this issue
if ('permissions' not in annotation
or 'read' not in annotation['permissions']):
request.sentry.captureMessage(
'streamer received annotation lacking valid permissions',
level='warn',
extra={
'id': annotation['id'],
'permissions': json.dumps(annotation.get('permissions')),
})
read_permissions = annotation.get('permissions', {}).get('read', [])
read_principals = translate_annotation_principals(read_permissions)
if set(read_principals).intersection(request.effective_principals):
return True
return False
def test_translate_annotation_principals(p_in, p_out):
result = util.translate_annotation_principals(p_in)
assert set(result) == set(p_out)
def test_translate_annotation_principals(p_in, p_out):
result = util.translate_annotation_principals(p_in)
assert set(result) == set(p_out)
