def has_create_permission(self, request, view, validated_serializer): import mreg.api.v1.views if user_is_superuser(request.user): return True hostname = None ips = [] data = validated_serializer.validated_data if '*' in data.get('name', ''): return False if 'ipaddress' in data: if self.is_reserved_ip(data['ipaddress']): if request_in_settings_group(request, NETWORK_ADMIN_GROUP): return True return False if user_is_adminuser(request.user): return True if isinstance( view, (mreg.api.v1.views.HostList, mreg.api.v1.views.IpaddressList, mreg.api.v1.views.PtrOverrideList)): # HostList does not require ipaddress, but if none, the permissions # will not match, so just refuse it. ip = data.get('ipaddress', None) if ip is None: return False ips.append(ip) hostname = data['host'].name elif 'host' in data: hostname, ips = self._get_hostname_and_ips(data['host']) else: raise exceptions.PermissionDenied(f"Unhandled view: {view}") if ips and hostname: return self.has_perm(request.user, hostname, ips) return False
def create(self, validated_data): auth = get_user_auth(self.context['request']) if not auth.user: raise exceptions.PermissionDenied try: node = self.context['view'].get_target() except exceptions.PermissionDenied: node = self.context['view'].get_target( check_object_permissions=False) if auth.user in node.contributors: raise exceptions.PermissionDenied( 'You cannot request access to a node you contribute to.') raise comment = validated_data.pop('comment', '') request_type = validated_data.pop('request_type', None) if request_type != RequestTypes.ACCESS.value: raise exceptions.ValidationError( 'You must specify a valid request_type.') try: node_request = NodeRequest.objects.create( target=node, creator=auth.user, comment=comment, machine_state=DefaultStates.INITIAL.value, request_type=request_type, ) node_request.save() except IntegrityError: raise Conflict( 'Users may not have more than one {} request per node.'.format( request_type)) node_request.run_submit(auth.user) return node_request
def to_internal_value(self, data): if 'player' in data: data['player'] = user_or_validationerror('player', data['player']).pk if 'game' in data: try: game = models.Game.objects.get(pk=data['game']) if game.is_finished(): raise serializers.ValidationError( {'detail': 'game is finished'}) players = ( game.player_a.id, game.player_b.id, ) if data['player'] not in players: raise exceptions.PermissionDenied( {'player': 'player otside of game'}) moves = game.move_set.order_by('-timestamp').values() if (len(moves) == 0 and data['player'] == game.player_a ) or (len(moves) > 0 and data['player'] == moves[0]['player_id']): raise serializers.ValidationError( {'player': 'Second player is taking turn'}) except models.Game.DoesNotExist: raise serializers.ValidationError( {'detail': 'game with given id does not exist'}) if 'position' in data and data['position'] not in range(9): raise serializers.ValidationError( {'position': 'position index shoud be in range 0..8'}) return super(MoveSerializer, self).to_internal_value(data)
def get(self, request, pk): group = self.request.user.groups.values_list('name', flat=True) if 'Club' in group: queryset = sorted(list( itertools.chain( BioAge.objects.filter( player__id=pk, player__club=self.request.user.club, ), PredictedHeight.objects.filter( player__id=pk, player__club=self.request.user.club), PHV.objects.filter(player__id=pk, player__club=self.request.user.club), )), key=lambda instance: instance.created, reverse=True) elif 'Coach' in group: queryset = sorted(list( itertools.chain( BioAge.objects.filter( player__id=pk, player__club=self.request.user.coach.club), PredictedHeight.objects.filter( player__id=pk, player__club=self.request.user.coach.club), PHV.objects.filter( player__id=pk, player__club=self.request.user.coach.club), )), key=lambda instance: instance.created, reverse=True) else: raise exceptions.PermissionDenied( 'User has no permission to access user data of player.') serializer = FeedDashboardSerializer(queryset, many=True) return JSONResponse(serializer.data)
def retrieve(self, request, pk, format=None): ''' It will return specific user data. ADMIN can retrieve any account. STAFF can retrieve itself only. API: /users/id/ Request type: GET Headers: Authorization: JWT <token> Response data: { "id": int, "username": "******", "email": "string", "firstname": "string", "lastname": "string", "designation": "string" } ''' designation = request.user.designation # Allowed for itself for staff if (designation == strings.STAFF): if not (pk == str(request.user.id)): raise exceptions.PermissionDenied(detail= strings.INVALID_CLIENT) user = self.get_object(pk) try: serializer = UsersSerializerList(user) return Response(serializer.data) except Exception as e: log.error(strings.SERIALIZATION_ERROR_MSG) return Response(serializer.errors)
def my_global_curriculum(self, request): user = get_user_from_request(request) if not isinstance(user, Student): raise exceptions.PermissionDenied() course_spec = user.course.last().specification subjects = Subject.objects.filter(students=user) subject_specs = list(set(map(lambda subj: subj.subject_spec, subjects))) curriculum = [] for subject_spec in subject_specs: subject = {} latest_subject = subjects.filter( subject_spec=subject_spec).latest('lective_year') course_subject = CourseSubject.objects.get( subject=latest_subject, course__specification=course_spec) subject['course_subject'] = CourseSubjectSerializer( course_subject).data subject['subject'] = RestrictedSubjectSerializer( latest_subject).data subject['subject_spec'] = SubjectSpecificationSerializer( subject_spec).data final_grade = FinalGrade.objects.filter( student=user, subject__subject_spec=subject_spec).order_by("-grade").first() if final_grade is not None and final_grade.grade >= settings.PASSING_GRADE: subject['grade'] = FinalGradeSerializer(final_grade).data curriculum.append(subject) return Response(curriculum)
def exception_handler(exc, context): if isinstance(exc, Http404): exc = exceptions.NotFound() elif isinstance(exc, PermissionDenied): exc = exceptions.PermissionDenied() if isinstance(exc, exceptions.APIException): headers = {} if getattr(exc, 'auth_header', None): headers['WWW-Authenticate'] = exc.auth_header if getattr(exc, 'wait', None): headers['Retry-After'] = '%d' % exc.wait if isinstance(exc.detail, (list, dict)): data = exc.detail else: data = {'message': exc.detail} set_rollback() return Response({ 'status': exc.status_code * 1000, 'body': data }, status=exc.status_code, headers=headers) view = context.get('view') logger.error(f'Exception in view {view}: ' f'{exc}') return Response({ 'status': 500000, 'body': { 'message': 'Unknown error.' } }, status=500)
def exception_handler(exc, context): """ Returns the response that should be used for any given exception. By default we handle the REST framework `APIException`, and also Django's built-in `Http404` and `PermissionDenied` exceptions. Any unhandled exceptions may return `None`, which will cause a 500 error to be raised. """ if isinstance(exc, Http404): exc = exceptions.NotFound() elif isinstance(exc, PermissionDenied): exc = exceptions.PermissionDenied() if isinstance(exc, exceptions.APIException): headers = {} if getattr(exc, 'auth_header', None): headers['WWW-Authenticate'] = exc.auth_header if getattr(exc, 'wait', None): headers['Retry-After'] = '%d' % exc.wait if isinstance(exc.detail, (list, dict)): data = exc.detail else: data = {'detail': exc.detail} data = { 'status': exc.status_code, 'msj': None, 'extra': data.get('detail') or data } set_rollback() return Response(data, status=exc.status_code, headers=headers) return None
def exception_handler(exc, context): """ Returns the response that should be used for any given exception. By default we handle the REST framework `APIException`, and also Django's built-in `Http404` and `PermissionDenied` exceptions. Any unhandled exceptions may return `None`, which will cause a 500 error to be raised. """ if isinstance(exc, Http404): exc = exceptions.NotFound() elif isinstance(exc, _PermissionDenied): exc = exceptions.PermissionDenied() headers = {} if isinstance(exc, exceptions.ValidationError): data = {"code": exc.status_code, 'message': exc.default_code, 'data': exc.detail} elif isinstance(exc, exceptions.APIException): # DRF异常处理 code = exc.status_code if getattr(exc, 'auth_header', None): headers['WWW-Authenticate'] = exc.auth_header if getattr(exc, 'wait', None): headers['Retry-After'] = '%d' % exc.wait data = {"code": code, 'message': str(exc.detail), 'data': exc.detail} elif isinstance(exc, BaseError): # 自定义异常处理 data = {"code": exc.code, "message": exc.message} else: data = {"code": HTTP_500_INTERNAL_SERVER_ERROR, "message": "Internal Error", "data": getattr(exc, 'message', repr(exc))} set_rollback() if settings.DEBUG: traceback.print_exc() data.update(traceback=traceback.format_exc()) return Response(data, status=HTTP_200_OK, headers=headers)
def modify(self, request, pk=None): xg_request = get_object_or_404(ShiftExchangeRequest, id=pk) user = get_user_from_request(request) if not isinstance(user, Professor) or xg_request.shift.professor != user: raise exceptions.PermissionDenied() acceptance = request.query_params.get("acceptance", None) if acceptance is not None: acceptance = acceptance == "true" xg_request.acceptance = acceptance xg_request.save() if acceptance: enrolled_shifts = Shift.objects.filter( subject=xg_request.shift.subject, student=xg_request.student, ) shift_ctype = LessonSpecification.objects.filter( shift=xg_request.shift)[0].c_type old_shift = None for shift in enrolled_shifts: _c_type = LessonSpecification.objects.filter( shift=shift)[0].c_type if _c_type == shift_ctype: old_shift = shift break if old_shift is not None: old_shift.student.remove(xg_request.student) xg_request.shift.student.add(xg_request.student) return Response(status=200)
def update(self, instance, validated_data): user = self.context['request'].user if self.partial: allowed_fields = {'state', 'valid_from', 'valid_to'} data = { field: validated_data[field] for field in allowed_fields if field in validated_data } if not data: return instance data['modified_by'] = user # ignore other fields than state, valid_from and valid_to # and do an actual update instead of a new version new_function = super().update(instance, data) new_function.create_metadata_version() return new_function if not user.has_perm(Function.CAN_EDIT): raise exceptions.PermissionDenied(_('No permission to edit.')) if instance.state in (Function.SENT_FOR_REVIEW, Function.WAITING_FOR_APPROVAL): raise exceptions.ValidationError( _('Cannot edit while in state "sent_for_review" or "waiting_for_approval"' )) if not validated_data.get('classification'): validated_data['classification'] = instance.classification validated_data['modified_by'] = user new_function = self._create_new_version(validated_data) new_function.create_metadata_version() return new_function
def allow_access_user(current, user, raise_exception=True): """ Check current user can access user data :param current: int user id or User object :param user: int manager id or User object :param raise_exception: set to True to raise exception :return: boolean allowed or not """ return True # TODO: change this logic, since user.manager_id has not set allowed = False if not isinstance(current, int): user_id = current.manager_id else: user_id = current if not isinstance(user, int): manager_id = user.manager_id else: manager_id = user if manager_id == user_id: allowed = True if not allowed and raise_exception: raise exceptions.PermissionDenied() return allowed
def new(self, request, *args, **kwargs): """ Create a brand new basket object """ self.process_request(with_basket=False) basket_class = cached_load("SHUUP_BASKET_CLASS_SPEC") basket = basket_class(request._request) customer_id = request.POST.get("customer_id") if not customer_id: customer_id = request.data.get("customer_id") if customer_id: is_staff = (self.request.shop and self.request.user.is_staff and self.request.user.pk in self.request.shop.staff_members.all().values_list("pk", flat=True)) is_superuser = self.request.user.is_superuser if int(customer_id) in self._get_controlled_contacts_by_user(self.request.user) or is_superuser or is_staff: basket.customer = Contact.objects.get(pk=int(customer_id)) else: raise exceptions.PermissionDenied("No permission") stored_basket = basket.save() return Response(data={"uuid": "%s-%s" % (request.shop.pk, stored_basket.key)}, status=status.HTTP_201_CREATED)
def create_group(request): id_institution = request.user.instit_id id_matriz = search_matriz(id_institution) user_id = request.user.id if not verify_permission(8, user_id): raise exceptions.PermissionDenied( 'Você não tem permissões para realizar esta operação.') try: group = ProdGrp(instit=id_matriz, niv=1, nv1=request.data.get('nv1'), data=timezone.now()) group.save() all_groups = ProdGrp.objects.filter(instit=id_matriz) all_groups_serialized = GrupoProdutoSerializer(all_groups, many=True) return Response(all_groups_serialized.data) except: raise exceptions.APIException( 'Não foi possível criar o grupo, tente novamente.')
def list(self, request, *args, **kwargs): filter_qs = GuestPost.objects.order_by('created_at').reverse() if request.GET.get('showUserPosts', False): try: filter_qs = filter_qs.filter(owner=self.request.user) except: raise exceptions.PermissionDenied('Not authorized!') else: filter_qs = filter_qs.filter( is_active=True, created_at__gte=datetime.now() - timedelta(days=DAYS_TILL_POST_EXPIRATION)) queryset = self.filter_queryset(filter_qs) try: page = self.paginate_queryset(queryset) except Exception as e: raise exceptions.ParseError( 'Guest posts for requested pages could not be paginated.') if page is not None: serializer = self.get_serializer(page, many=True) data = serializer.data return self.get_paginated_response(data) raise exceptions.NotFound( 'This page of guest postings could not be found.')
def get(self, request, version=None): regions = Region.objects.all() project = request.GET.get('project') if project: project = Project.objects.get(id=project) if not project.can_get(request.user): raise exceptions.PermissionDenied() regions = regions.filter(project=project) regions = regions.distinct() result = {} for region in regions: result[str(region.id)] = [{ 'label': '{} / {}'.format(geo_area.admin_level.title, geo_area.title), 'title': geo_area.title, 'key': str(geo_area.id), 'admin_level': geo_area.admin_level.level, 'admin_level_title': geo_area.admin_level.title, 'region': geo_area.admin_level.region.id, 'region_title': geo_area.admin_level.region.title, } for geo_area in GeoArea.objects.select_related( 'admin_level', 'admin_level__region', ).filter(admin_level__region=region).order_by( 'admin_level__level').distinct()] return response.Response(result)
def customExceptionHandler(exc, context): """ 重写rest_framework.views.exception_handler """ if isinstance(exc, Http404): exc = exceptions.NotFound() elif isinstance(exc, PermissionDenied): exc = exceptions.PermissionDenied() # 接口异常 if isinstance(exc, exceptions.APIException): headers = {} if getattr(exc, 'auth_header', None): headers['WWW-Authenticate'] = exc.auth_header if getattr(exc, 'wait', None): headers['Retry-After'] = '%d' % exc.wait if isinstance(exc.detail, (list, dict)): if isinstance(exc.detail, list): errors = exc.detail else: errors = {k: v[0] for k, v in exc.detail.items()} else: errors = exc.detail set_rollback() data = {'code': -1, 'msg': '失败', 'errors': errors, 'data': []} return Response(data, status=exc.status_code, headers=headers) # 如果是数据库异常 if isinstance(exc, DatabaseError): errors = '数据库异常,请联系管理员' data = {'code': -2, 'msg': '失败', 'errors': errors, 'data': []} return Response(data) return None
def authenticate(self, request): ret = super(ShoutitPageAuthenticationMixin, self).authenticate(request) if ret is None: return ret self.set_api_client(request, ret[1]) page_id_auth = get_authorization_header(request).split() if not page_id_auth: return ret if len(page_id_auth) != 1: msg = _('Invalid page id header. No credentials provided') raise exceptions.AuthenticationFailed(msg) try: page_id = page_id_auth[0].decode() uuid.UUID(page_id) except (UnicodeError, ValueError): raise exceptions.AuthenticationFailed(_('Invalid page id')) try: page = Page.objects.select_related('user').get(id=page_id) except Page.DoesNotExist: raise exceptions.AuthenticationFailed(_('Page does not exist')) if not page.user.is_active: raise exceptions.AuthenticationFailed( _('Page inactive or deleted')) if not page.is_admin(ret[0]): raise exceptions.PermissionDenied( _("You can't act as an admin of the provided page")) setattr(request, '_user', page.user) setattr(request, 'page_admin_user', ret[0]) return page.user, ret[1]
def inner_func(self, request, pk=None, **kwargs): object = self.get_object() transition_method = getattr(object, transition_name) if can_proceed(transition_method, self.request.user): # Perform the requested transition if isinstance(self.request.user, User): transition_method(by=self.request.user) else: transition_method() if self.save_after_transition: object.save() else: raise exceptions.PermissionDenied( 'User {user} cannot perform transition {transition} from {state}' .format(user=self.request.user, transition=transition_name, state=getattr( object, transition_method._django_fsm.field.attname))) serializer = self.get_serializer(object) return Response(serializer.data)
def admin_edit(request, id): user_id = request.user.id if not verify_permission(132, user_id): raise exceptions.PermissionDenied( 'Você não tem permissões para realizar esta operação.') """ FUNCTION FOR THE ADMINISTRATOR TO EDIT THE USER DATA OF THEIR RESPECTIVE INSTITUTION """ User = get_user_model() username = request.data.get('username') first_name = request.data.get('firstName') last_name = request.data.get('lastName') email = request.data.get('email') acess = request.data.get('access') idgrp_id = request.data.get('idGroupUser') idpescod_id = request.data.get('idPerson') try: user = User.objects.get(pk=id) user.first_name = first_name user.last_name = last_name user.email = email user.username = username user.idgrp_id = idgrp_id user.idpescod_id = idpescod_id user.acess = acess user.save() user_serialized = UsersSerializers(user) return Response({ 'detail': 'Os dados foram alterados com sucesso!', 'user': user_serialized.data }) except: raise exceptions.APIException
def register_superuser(request): User = get_user_model() user_id = request.user.id if not verify_permission(15, user_id): raise exceptions.PermissionDenied( 'Você não tem permissões para realizar esta operação.') username = request.data.get('username') password = request.data.get('password') first_name = request.data.get('firstName') last_name = request.data.get('lastName') email = request.data.get('email') person_id = request.data.get('idPerson') institution_id = request.data.get('idInstitution') group_id = request.data.get('idGroup') active = request.data.get('active') access = request.data.get('access') response = Response() try: user = User.objects.create_superuser(username=username, password=password, first_name=first_name, last_name=last_name, email=email, idpescod=person_id, instit=institution_id, idgrp=group_id, ativo=active, acess=access) user.save() serialized_user = UsersSerializers(user) return Response({'user': serialized_user.data}) except: raise exceptions.APIException('Não foi possível cadastrar o usuário')
def post(self, request, af_id, version=None): if not AnalysisFramework.objects.filter( id=af_id ).exists(): raise exceptions.NotFound() analysis_framework = AnalysisFramework.objects.get( id=af_id ) if not analysis_framework.can_get(request.user): raise exceptions.PermissionDenied() new_af = analysis_framework.clone( request.user, request.data or {}, ) serializer = AnalysisFrameworkSerializer( new_af, context={'request': request}, ) project = request.data.get('project') if project: project = Project.objects.get(id=project) if not project.can_modify(request.user): raise exceptions.ValidationError({ 'project': 'Invalid project', }) project.analysis_framework = new_af project.modified_by = request.user project.save() return response.Response( serializer.data, status=status.HTTP_201_CREATED, )
def delete(self, request, *args, **kwargs): """ Deletes a private topic to which the authenticated member participates. --- parameters: - name: Authorization description: Bearer token to make an authenticated request. required: true paramType: header - name: pk description: To remove several private topics, specify this parameter several times. required: true paramType: form responseMessages: - code: 401 message: Not Authenticated """ topics = self.get_queryset() if topics.count() == 0: raise exceptions.PermissionDenied() for topic in topics: self.perform_destroy(topic) return Response(status=status.HTTP_204_NO_CONTENT)
def add(self, request, pk=None): unsrz = AddStockItemSerializer(data=request.data) unsrz.is_valid(raise_exception=True) stockitem = unsrz.validated_data['stockitem'] unit_factor = unsrz.validated_data['unit_factor'] try: sellitem = SellItem.objects.get(pk=pk) except SellItem.DoesNotExist: raise Http404('SellItem (id=%d) does not exist' % pk) if sellitem.bar != request.bar or stockitem.bar != sellitem.bar or stockitem.bar != request.bar: raise exceptions.PermissionDenied('Cannot operate across bars') old_sellitem = stockitem.sellitem stockitem.sellitem = sellitem stockitem.unit_factor *= unit_factor stockitem.save() if old_sellitem.stockitems.count() == 0: old_sellitem.delete() srz = SellItemSerializer(sellitem) return Response(srz.data, 200)
def get_leads(self, request, pk=None, version=None): connector = self.get_object() if not connector.can_get(request.user): raise exceptions.PermissionDenied() project_id = request.data.pop('project', None) project = project_id and Project.objects.get(id=project_id) offset = request.data.pop('offset', None) limit = request.data.pop('limit', None) params = { **(connector.params or {}), **(request.data or {}), } source = source_store[connector.source]() data, count = source.fetch(params, offset, limit) serializer = SourceDataSerializer( data, many=True, context={ 'request': request, 'project': project }, ) results = serializer.data return response.Response({ 'count': count, 'count_per_page': getattr(source, 'count_per_page', None), 'results': results })
def create(self, request, *args, **kwargs): """Create a resource.""" collections = request.data.get('collections', []) # check that user has permissions on all collections that Data # object will be added to for collection_id in collections: try: collection = Collection.objects.get(pk=collection_id) except Collection.DoesNotExist: return Response( { 'collections': [ 'Invalid pk "{}" - object does not exist.'.format( collection_id) ] }, status=status.HTTP_400_BAD_REQUEST) if not request.user.has_perm('add_collection', obj=collection): if request.user.has_perm('view_collection', obj=collection): raise exceptions.PermissionDenied( "You don't have `ADD` permission on collection (id: {})." .format(collection_id)) else: raise exceptions.NotFound( "Collection not found (id: {}).".format(collection_id)) self.define_contributor(request) if kwargs.pop('get_or_create', False): response = self.perform_get_or_create(request, *args, **kwargs) if response: return response return super().create(request, *args, **kwargs)
def validate(self, attrs): attrs = super(AllocationSerializer, self).validate(attrs) # Skip validation on update if self.instance: return attrs correct_name_regex = '^([%s]{1,63})$' % models.SLURM_ALLOCATION_REGEX name = attrs.get('name') if not re.match(correct_name_regex, name): raise core_serializers.ValidationError( _( "Name '%s' must be 1-63 characters long, each of " "which can only be alphanumeric or a hyphen" ) % name ) spl = attrs['service_project_link'] user = self.context['request'].user if not _has_owner_access(user, spl.project.customer): raise rf_exceptions.PermissionDenied( _('You do not have permissions to create allocation for given project.') ) return attrs
def get(self, request, format=None): if not self.request.user.is_staff and not request.user.is_support: raise exceptions.PermissionDenied() customers = structure_models.Customer.objects.all() customers = structure_filters.AccountingStartDateFilter( ).filter_queryset(request, customers, self) name = request.query_params.get('name', '') if name: customers = customers.filter(name__icontains=name) year, month = invoice_utils.parse_period(request.query_params) invoices = invoices_models.Invoice.objects.filter( customer__in=customers) invoices = invoices.filter(year=year, month=month) total = sum(invoice.total for invoice in invoices) price = sum(invoice.price for invoice in invoices) return response.Response({ 'total': total, 'price': price }, status=status.HTTP_200_OK)
def clone(self, request, *args, **kwargs): self.object = self.get_object() data = {'xform': self.object.pk, 'username': request.data['username']} serializer = CloneXFormSerializer(data=data) if serializer.is_valid(): clone_to_user = User.objects.get(username=data['username']) if not request.user.has_perm( 'can_add_xform', UserProfile.objects.get_or_create(user=clone_to_user)[0]): raise exceptions.PermissionDenied( detail=_(u"User %(user)s has no permission to add " "xforms to account %(account)s" % { 'user': request.user.username, 'account': data['username'] })) xform = serializer.save() serializer = XFormSerializer(xform.cloned_form, context={'request': request}) return Response(data=serializer.data, status=status.HTTP_201_CREATED) return Response(data=serializer.errors, status=status.HTTP_400_BAD_REQUEST)
def common_exception_handler(exc, context): if isinstance(exc, Http404): exc = JMSObjectDoesNotExist(object_name=extract_object_name(exc, 1)) elif isinstance(exc, PermissionDenied): exc = exceptions.PermissionDenied() elif isinstance(exc, DJObjectDoesNotExist): exc = JMSObjectDoesNotExist(object_name=extract_object_name(exc, 0)) if isinstance(exc, exceptions.APIException): headers = {} if getattr(exc, 'auth_header', None): headers['WWW-Authenticate'] = exc.auth_header if getattr(exc, 'wait', None): headers['Retry-After'] = '%d' % exc.wait if isinstance(exc.detail, (list, dict)): data = exc.detail else: data = {'detail': exc.detail} set_rollback() return Response(data, status=exc.status_code, headers=headers) return None