def query(self, view_kwargs): """ query method for Discount Code List :param view_kwargs: :return: """ query_ = self.session.query(DiscountCode) # user can only access his/her discount codes. if view_kwargs.get('user_id'): if has_access('is_user_itself', user_id=view_kwargs['user_id']): user = safe_query(self, User, 'id', view_kwargs['user_id'], 'user_id') query_ = query_.join(User).filter(User.id == user.id) else: raise ForbiddenException({'source': ''}, 'You are not authorized') if view_kwargs.get('event_identifier'): event = safe_query(self, Event, 'identifier', view_kwargs['event_identifier'], 'event_identifier') view_kwargs['event_id'] = event.id # event co-organizer access required for discount codes under an event. if view_kwargs.get('event_id'): if has_access('is_coorganizer', event_id=view_kwargs['event_id']): self.schema = DiscountCodeSchemaTicket query_ = query_.filter_by(event_id=view_kwargs['event_id']) else: raise ForbiddenException({'source': ''}, 'Event organizer access required') # discount_code - ticket :: many-to-many relationship if view_kwargs.get('ticket_id') and has_access('is_coorganizer'): self.schema = DiscountCodeSchemaTicket ticket = safe_query(self, Ticket, 'id', view_kwargs['ticket_id'], 'ticket_id') query_ = query_.filter(DiscountCode.tickets.any(id=ticket.id)) return query_
def before_update_object(self, session, data, view_kwargs): """ before update method to verify if session is locked before updating session object :param event: :param data: :param view_kwargs: :return: """ if data.get('is_locked') != session.is_locked: if not (has_access('is_admin') or has_access('is_organizer', event_id=session.event_id)): raise ForbiddenException( {'source': '/data/attributes/is-locked'}, "You don't have enough permissions to change this property", ) if session.is_locked and data.get('is_locked') == session.is_locked: raise ForbiddenException( {'source': '/data/attributes/is-locked'}, "Locked sessions cannot be edited", ) if not can_edit_after_cfs_ends(session.event_id): raise ForbiddenException( {'source': ''}, "Cannot edit session after the call for speaker is ended")
def before_update_object(self, feedback, data, view_kwargs): """ before update object method of feedback details :param feedback: :param data: :param view_kwargs: :return: """ if feedback and feedback.session_id: session = Session.query.filter_by(id=feedback.session_id).first() if session and not current_user.id == feedback.user_id: raise ForbiddenException( {'source': ''}, "Feedback can be updated only by user himself") if session and not has_access('is_coorganizer', event_id=session.event_id): raise ForbiddenException({'source': ''}, "Event co-organizer access required") if feedback and data.get('deleted_at'): if has_access('is_user_itself', user_id=feedback.user_id): delete_feedback(feedback) else: raise ForbiddenException( {'source': ''}, "Feedback can be deleted only by user himself")
def before_update_object(self, speaker, data, view_kwargs): """ method to save image urls before updating speaker object :param speaker: :param data: :param view_kwargs: :return: """ if not can_edit_after_cfs_ends(speaker.event_id): raise ForbiddenException( {'source': ''}, "Cannot edit speaker after the call for speaker is ended") if data.get('photo_url') and data['photo_url'] != speaker.photo_url: start_image_resizing_tasks(speaker, data['photo_url']) if data.get('is_email_overridden') and not has_access( 'is_organizer', event_id=speaker.event_id): raise ForbiddenException( {'pointer': 'data/attributes/is_email_overridden'}, 'Organizer access required to override email', ) elif (data.get('is_email_overridden') and has_access('is_organizer', event_id=speaker.event_id) and not data.get('email')): data['email'] = current_user.email
def before_post(self, args, kwargs, data=None): """ method to add user_id to view_kwargs before post :param args: :param kwargs: :param data: :return: """ require_relationship(['event', 'user'], data) if not has_access('is_coorganizer', event_id=data['event']): event = db.session.query(Event).filter_by(id=data['event']).one() if event.state == "draft": raise ObjectNotFound({'parameter': 'event_id'}, "Event: {} not found".format(data['event_id'])) if get_count(db.session.query(Event).filter_by(id=int(data['event']), is_sessions_speakers_enabled=False)) > 0: raise ForbiddenException({'pointer': ''}, "Speakers are disabled for this Event") if get_count(db.session.query(Speaker).filter_by(event_id=int(data['event']), email=data['email'], deleted_at=None)) > 0: raise ForbiddenException({'pointer': ''}, 'Speaker with this Email ID already exists') if 'sessions' in data: session_ids = data['sessions'] for session_id in session_ids: if not has_access('is_session_self_submitted', session_id=session_id): raise ObjectNotFound({'parameter': 'session_id'}, "Session: {} not found".format(session_id))
def query(self, view_kwargs): """ query method for Attendees List :param view_kwargs: :return: """ query_ = self.session.query(TicketHolder) if view_kwargs.get('order_identifier'): order = safe_query(self, Order, 'identifier', view_kwargs['order_identifier'], 'order_identifier') if not has_access('is_registrar', event_id=order.event_id) or not has_access('is_user_itself', id=order.user_id): raise ForbiddenException({'source': ''}, 'Access Forbidden') query_ = query_.join(Order).filter(Order.id == order.id) if view_kwargs.get('ticket_id'): ticket = safe_query(self, Ticket, 'id', view_kwargs['ticket_id'], 'ticket_id') if not has_access('is_registrar', event_id=ticket.event_id): raise ForbiddenException({'source': ''}, 'Access Forbidden') query_ = query_.join(Ticket).filter(Ticket.id == ticket.id) if view_kwargs.get('user_id'): user = safe_query(self, User, 'id', view_kwargs['user_id'], 'user_id') if not has_access('is_user_itself', id=user.id): raise ForbiddenException({'source': ''}, 'Access Forbidden') query_ = query_.join(User, User.email == TicketHolder.email).filter(User.id == user.id) query_ = event_query(self, query_, view_kwargs, permission='is_registrar') return query_
def validate_event(user, modules, data): if not user.can_create_event(): raise ForbiddenException({'source': ''}, "Please verify your Email") elif data.get('is_ticketing_enabled', True) and not modules.ticket_include: raise ForbiddenException( {'source': '/data/attributes/is-ticketing-enabled'}, "Ticketing is not enabled in the system") if data.get('can_pay_by_paypal', False) or data.get('can_pay_by_cheque', False) or \ data.get('can_pay_by_bank', False) or data.get('can_pay_by_stripe', False): if not modules.payment_include: raise ForbiddenException({'source': ''}, "Payment is not enabled in the system") if data.get('is_donation_enabled', False) and not modules.donation_include: raise ForbiddenException( {'source': '/data/attributes/is-donation-enabled'}, "Donation is not enabled in the system") if data.get('state', None) == 'published' and not user.can_publish_event(): raise ForbiddenException({'source': ''}, "Only verified accounts can publish events") if not data.get('is_event_online') and data.get('state', None) == 'published' \ and not data.get('location_name', None): raise ConflictException({'pointer': '/data/attributes/location-name'}, "Location is required to publish the event") if data.get('location_name', None) and data.get('is_event_online'): raise ConflictException({'pointer': '/data/attributes/location-name'}, "Online Event does not have any locaton") if data.get('searchable_location_name') and data.get('is_event_online'): raise ConflictException( {'pointer': '/data/attributes/searchable-location-name'}, "Online Event does not have any locaton")
def validate_date(self, data, original_data): if 'id' in original_data['data']: session = Session.query.filter_by( id=original_data['data']['id']).one() if 'starts_at' not in data: data['starts_at'] = session.starts_at if 'ends_at' not in data: data['ends_at'] = session.ends_at if 'event' not in data: data['event'] = session.event_id if data['starts_at'] >= data['ends_at']: raise UnprocessableEntity({'pointer': '/data/attributes/ends-at'}, "ends-at should be after starts-at") if 'state' in data: if data['state'] is not 'draft' or not 'pending': if not has_access('is_coorganizer', event_id=data['event']): return ForbiddenException( {'source': ''}, 'Co-organizer access is required.') if 'track' in data: if not has_access('is_coorganizer', event_id=data['event']): return ForbiddenException({'source': ''}, 'Co-organizer access is required.') if 'microlocation' in data: if not has_access('is_coorganizer', event_id=data['event']): return ForbiddenException({'source': ''}, 'Co-organizer access is required.')
def query(self, view_kwargs): """ Method to get access codes list based on different view_kwargs :param view_kwargs: :return: """ query_ = self.session.query(AccessCode) query_ = event_query(self, query_, view_kwargs, permission='is_coorganizer') if view_kwargs.get('user_id'): user = safe_query(self, User, 'id', view_kwargs['user_id'], 'user_id') if not has_access('is_user_itself', user_id=user.id): raise ForbiddenException({'source': ''}, 'Access Forbidden') query_ = query_.join(User).filter(User.id == user.id) if view_kwargs.get('ticket_id'): ticket = safe_query(self, Ticket, 'id', view_kwargs['ticket_id'], 'ticket_id') if not has_access('is_coorganizer', event_id=ticket.event_id): raise ForbiddenException({'source': ''}, 'Access Forbidden') # access_code - ticket :: many-to-many relationship query_ = AccessCode.query.filter( AccessCode.tickets.any(id=ticket.id)) query_ return query_
def before_update_object(self, user, data, view_kwargs): # TODO: Make a celery task for this # if data.get('avatar_url') and data['original_image_url'] != user.original_image_url: # try: # uploaded_images = create_save_image_sizes(data['original_image_url'], 'speaker-image', user.id) # except (urllib.error.HTTPError, urllib.error.URLError): # raise UnprocessableEntity( # {'source': 'attributes/original-image-url'}, 'Invalid Image URL' # ) # data['original_image_url'] = uploaded_images['original_image_url'] # data['small_image_url'] = uploaded_images['thumbnail_image_url'] # data['thumbnail_image_url'] = uploaded_images['thumbnail_image_url'] # data['icon_image_url'] = uploaded_images['icon_image_url'] if data.get('deleted_at') != user.deleted_at: if has_access('is_user_itself', user_id=user.id) or has_access('is_admin'): if data.get('deleted_at'): if len(user.events) != 0: raise ForbiddenException({'source': ''}, "Users associated with events cannot be deleted") elif len(user.orders) != 0: raise ForbiddenException({'source': ''}, "Users associated with orders cannot be deleted") else: modify_email_for_user_to_be_deleted(user) else: modify_email_for_user_to_be_restored(user) data['email'] = user.email user.deleted_at = data.get('deleted_at') else: raise ForbiddenException({'source': ''}, "You are not authorized to update this information.") users_email = data.get('email', None) if users_email is not None: users_email = users_email.strip() if users_email is not None and users_email != user.email: try: db.session.query(User).filter_by(email=users_email).one() except NoResultFound: verify_fresh_jwt_in_request() view_kwargs['email_changed'] = user.email else: raise ConflictException({'pointer': '/data/attributes/email'}, "Email already exists") if has_access('is_super_admin') and data.get('is_admin') and data.get('is_admin') != user.is_admin: user.is_admin = not user.is_admin if has_access('is_admin') and ('is_sales_admin' in data) and data.get('is_sales_admin') != user.is_sales_admin: user.is_sales_admin = not user.is_sales_admin if has_access('is_admin') and ('us_marketer' in data) and data.get('is_marketer') != user.is_marketer: user.is_marketer = not user.is_marketer if data.get('avatar_url'): start_image_resizing_tasks(user, data['avatar_url'])
def check_event_user_ticket_holders(order, data, element): if element in ['event', 'user'] and data[element]\ != str(getattr(order, element, None).id): raise ForbiddenException({'pointer': 'data/{}'.format(element)}, "You cannot update {} of an order".format(element)) elif element == 'ticket_holders': ticket_holders = [] for ticket_holder in order.ticket_holders: ticket_holders.append(str(ticket_holder.id)) if data[element] != ticket_holders and element not in get_updatable_fields(): raise ForbiddenException({'pointer': 'data/{}'.format(element)}, "You cannot update {} of an order".format(element))
def before_post(self, args, kwargs, data=None): """ before post method to verify if the event location is provided before publishing the event and checks that the user is verified :param args: :param kwargs: :param data: :return: """ user = User.query.filter_by(id=kwargs['user_id']).first() modules = Module.query.first() if data.get('is_ticketing_enabled', False) and not modules.ticket_include: raise ForbiddenException( {'source': '/data/attributes/is-ticketing-enabled'}, "Ticketing is not enabled in the system") if data.get('can_pay_by_paypal', False) or data.get('can_pay_by_cheque', False) or \ data.get('can_pay_by_bank', False) or data.get('can_pay_by_stripe', False): if not modules.payment_include: raise ForbiddenException( {'source': ''}, "Payment is not enabled in the system") if data.get('is_donation_enabled', False) and not modules.donation_include: raise ForbiddenException( {'source': '/data/attributes/is-donation-enabled'}, "Donation is not enabled in the system") if not user.can_create_event(): raise ForbiddenException( {'source': ''}, "Only verified accounts can create events") if data.get('state', None) == 'published' and not user.can_publish_event(): raise ForbiddenException( {'source': ''}, "Only verified accounts can publish events") if not data.get('is_event_online') and data.get('state', None) == 'published' \ and not data.get('location_name', None): raise ConflictException( {'pointer': '/data/attributes/location-name'}, "Location is required to publish the event") if data.get('location_name', None) and data.get('is_event_online'): raise ConflictException( {'pointer': '/data/attributes/location-name'}, "Online Event does not have any locaton") if data.get('searchable_location_name') and data.get( 'is_event_online'): raise ConflictException( {'pointer': '/data/attributes/searchable-location-name'}, "Online Event does not have any locaton")
def validate_fields(self, data, original_data): is_patch_request = 'id' in original_data['data'] if is_patch_request: try: session = Session.query.filter_by( id=original_data['data']['id']).one() except NoResultFound: raise ObjectNotFound({'parameter': '{id}'}, "Session: not found") if 'starts_at' not in data: data['starts_at'] = session.starts_at if 'ends_at' not in data: data['ends_at'] = session.ends_at if 'event' not in data: data['event'] = session.event_id if data['starts_at'] and data['ends_at']: if data['starts_at'] >= data['ends_at']: raise UnprocessableEntity( {'pointer': '/data/attributes/ends-at'}, "ends-at should be after starts-at", ) if not is_patch_request and datetime.timestamp( data['starts_at']) <= datetime.timestamp(datetime.now()): raise UnprocessableEntity( {'pointer': '/data/attributes/starts-at'}, "starts-at should be after current date-time", ) if 'state' in data: if data['state'] not in ('draft', 'pending'): if not has_access('is_coorganizer', event_id=data['event']): return ForbiddenException( {'source': ''}, 'Co-organizer access is required.') if 'track' in data: if not has_access('is_coorganizer', event_id=data['event']): return ForbiddenException({'source': ''}, 'Co-organizer access is required.') if 'microlocation' in data: if not has_access('is_coorganizer', event_id=data['event']): return ForbiddenException({'source': ''}, 'Co-organizer access is required.') validate_complex_fields_json(self, data, original_data)
def query(self, view_kwargs): """ query method for EventList class :param view_kwargs: :return: """ query_ = self.session.query(Event).filter_by(state='published') if 'Authorization' in request.headers: _jwt_required(current_app.config['JWT_DEFAULT_REALM']) query2 = self.session.query(Event) query2 = query2.join(Event.roles).filter_by(user_id=current_identity.id).join(UsersEventsRoles.role). \ filter(or_(Role.name == COORGANIZER, Role.name == ORGANIZER)) query_ = query_.union(query2) if view_kwargs.get('user_id') and 'GET' in request.method: if not has_access('is_user_itself', user_id=int(view_kwargs['user_id'])): raise ForbiddenException({'source': ''}, 'Access Forbidden') user = safe_query(db, User, 'id', view_kwargs['user_id'], 'user_id') query_ = query_.join(Event.roles).filter_by(user_id=user.id).join(UsersEventsRoles.role). \ filter(Role.name != ATTENDEE) if view_kwargs.get('event_type_id') and 'GET' in request.method: query_ = self.session.query(Event).filter( getattr(Event, 'event_type_id') == view_kwargs['event_type_id']) if view_kwargs.get('event_topic_id') and 'GET' in request.method: query_ = self.session.query(Event).filter( getattr(Event, 'event_topic_id') == view_kwargs['event_topic_id']) if view_kwargs.get('event_sub_topic_id') and 'GET' in request.method: query_ = self.session.query(Event).filter( getattr(Event, 'event_sub_topic_id') == view_kwargs['event_sub_topic_id']) if view_kwargs.get('discount_code_id') and 'GET' in request.method: event_id = get_id(view_kwargs)['id'] if not has_access('is_coorganizer', event_id=event_id): raise ForbiddenException({'source': ''}, 'Coorganizer access is required') query_ = self.session.query(Event).filter( getattr(Event, 'discount_code_id') == view_kwargs['discount_code_id']) return query_
def before_update_object(self, role_invite, data, view_kwargs): """ Method to edit object :param role_invite: :param data: :param view_kwargs: :return: """ user = User.query.filter_by(email=role_invite.email).first() if user: if not has_access( 'is_organizer', event_id=role_invite.event_id) and not has_access( 'is_user_itself', user_id=user.id): raise UnprocessableEntity({ 'source': '' }, "Status can be updated only by event organizer or user hiself" ) if 'role_name' in data and data[ 'role_name'] == 'owner' and not has_access( 'is_owner', event_id=data['event']): raise ForbiddenException({'source': ''}, 'Owner access is required.') if not user and not has_access('is_organizer', event_id=role_invite.event_id): raise UnprocessableEntity({'source': ''}, "User not registered") if not has_access('is_organizer', event_id=role_invite.event_id) and ( len(list(data.keys())) > 1 or 'status' not in data): raise UnprocessableEntity({'source': ''}, "You can only change your status")
def query(self, view_kwargs): """Filter news-subscriptions""" query_ = self.session.query(NewsSubscription) user = current_identity if not user.is_admin: if view_kwargs.get( 'user_id' ) is not None and user.id != view_kwargs['user_id']: raise ForbiddenException( {'parameter': 'user_id'}, 'User {} must be yourself ({})'.format( view_kwargs['user_id'], user.id)) query_ = query_.filter(User.id == user.id) if view_kwargs.get('news_id') is not None: safe_query(self, News, 'id', view_kwargs['news_id'], 'news_id') query_ = query_.join(News).filter( News.id == view_kwargs['news_id']) if view_kwargs.get('user_id') is not None: safe_query(self, User, 'id', view_kwargs['user_id'], 'user_id') query_ = query_.join(User).filter( User.id == view_kwargs['user_id']) return query_
def test_exceptions(self): """Check ExceptionsHelper: exceptions types""" # Unprocessable Entity Exception with self.assertRaises(UnprocessableEntity): raise UnprocessableEntity( {'pointer': '/data/attributes/min-quantity'}, "min-quantity should be less than max-quantity") # Conflict Exception with self.assertRaises(ConflictException): raise ConflictException({'pointer': '/data/attributes/email'}, "Email already exists") # Authentication Required Exception with self.assertRaises(AuthenticationRequired): raise AuthenticationRequired({'source': ''}, "Authentication Required") # Forbidden Exception with self.assertRaises(ForbiddenException): raise ForbiddenException({'source': ''}, "Access Forbidden") # Method Not Allowed Exception with self.assertRaises(MethodNotAllowed): raise MethodNotAllowed({'source': ''}, "Method Not Allowed")
def before_get(self, args, kwargs): """ before get method to get the resource id for fetching details :param args: :param kwargs: :return: """ if kwargs.get('event_id') is None: if 'GET' in request.method and has_access('is_admin'): pass else: raise ForbiddenException({'source': ''}, "Admin Access Required") elif not has_access('is_coorganizer', event_id=kwargs['event_id']): raise ForbiddenException({'source': ''}, "Co-Organizer Access Required")
def before_create_object(self, data, view_kwargs): user = current_identity # Check author_id if not user.is_admin and not user.is_super_admin and data['author'] != user.id: raise ForbiddenException({'parameter': 'author'}, 'Author {} must be yourself ({})'.format( data['author'], user.id))
def before_get_object(self, view_kwargs): """ before get method to get the resource id for fetching details :param view_kwargs: :return: """ if view_kwargs.get('attendee_id'): attendee = safe_query(self, TicketHolder, 'id', view_kwargs['attendee_id'], 'attendee_id') view_kwargs['id'] = attendee.order.id if view_kwargs.get('order_identifier'): order = safe_query(self, Order, 'identifier', view_kwargs['order_identifier'], 'order_identifier') view_kwargs['id'] = order.id elif view_kwargs.get('id'): order = safe_query(self, Order, 'id', view_kwargs['id'], 'id') if not has_access('is_coorganizer_or_user_itself', event_id=order.event_id, user_id=order.user_id): return ForbiddenException( {'source': ''}, 'You can only access your orders or your event\'s orders') # expire the pending order if time limit is over. set_expiry_for_order(order)
def is_move_comment_author(view, view_args, view_kwargs, *args, **kwargs): user = current_identity if user.is_admin: return True try: move_comment = MoveComment.query.filter( MoveComment.id == kwargs['move_comment_id']).one() except NoResultFound: # pragma: no cover raise ObjectNotFound( 'MoveComment %s not found.' % kwargs['move_comment_id'], {'source': 'move_comment_id'}) if move_comment.author_id == user.id: return True if app.config['ALLOW_GEOKRET_OWNER_TO_MODERATE_MOVE_COMMENTS']: # Allow GeoKret owner to moderate move comments if necessary if move_comment.move.geokret.owner_id == user.id: return True if app.config['ALLOW_MOVE_AUTHOR_TO_MODERATE_MOVE_COMMENTS']: # Allow Move author to moderate move comments if necessary if move_comment.move.author_id == user.id: return True raise ForbiddenException('Access denied.', {'source': 'move_comment_id'})
def before_update_object(self, event, data, view_kwargs): """ method to save image urls before updating event object :param event: :param data: :param view_kwargs: :return: """ if has_access( 'is_admin') and data.get('deleted_at') != event.deleted_at: if len(event.orders) != 0: raise ForbiddenException( {'source': ''}, "Event associated with orders cannot be deleted") else: event.deleted_at = data.get('deleted_at') if 'is_event_online' not in data and event.is_event_online \ or 'is_event_online' in data and not data['is_event_online']: if data.get('state', None) == 'published' and not data.get( 'location_name', None): raise ConflictException( {'pointer': '/data/attributes/location-name'}, "Location is required to publish the event") if data.get('original_image_url') and data[ 'original_image_url'] != event.original_image_url: start_image_resizing_tasks(event, data['original_image_url'])
def before_post(self, args, kwargs, data): """ before post method to check for required relationship and proper permission :param args: :param kwargs: :param data: :return: """ require_relationship(['event'], data) if not has_access('is_coorganizer', event_id=data['event']): raise ForbiddenException({'source': ''}, 'Co-organizer access is required.') if get_count( db.session.query(Event).filter_by( id=int(data['event']), is_sponsors_enabled=False)) > 0: raise ForbiddenException({'pointer': ''}, "Sponsors are disabled for this Event")
def before_post(self, args, kwargs, data): """ before post method to check for required relationship and proper permission :param args: :param kwargs: :param data: :return: """ require_relationship(['event'], data) if not has_access('is_organizer', event_id=data['event']): raise ForbiddenException({'source': ''}, "Minimum Organizer access required") if get_count( db.session.query(Event).filter_by( id=int(data['event']), can_pay_by_stripe=False)) > 0: raise ForbiddenException( {'pointer': ''}, "Stripe payment is disabled for this Event")
def before_delete_object(self, order, view_kwargs): """ method to check for proper permissions for deleting :param order: :param view_kwargs: :return: """ if not has_access('is_coorganizer', event_id=order.event.id): raise ForbiddenException({'source': ''}, 'Access Forbidden')
def before_delete_object(self, obj, kwargs): """ before delete object method for attendee detail :param obj: :param kwargs: :return: """ if not has_access('is_registrar', event_id=obj.event_id): raise ForbiddenException({'source': 'User'}, 'You are not authorized to access this.')
def before_get_object(self, view_kwargs): """ before get object method for attendee detail :param view_kwargs: :return: """ attendee = safe_query(self, TicketHolder, 'id', view_kwargs['id'], 'attendee_id') if not has_access('is_registrar_or_user_itself', user_id=current_identity.id, event_id=attendee.event_id): raise ForbiddenException({'source': 'User'}, 'You are not authorized to access this.')
def before_get(self, args, kwargs): """ before get method to get the resource id for fetching details :param args: :param kwargs: :return: """ if kwargs.get('event_id') and not has_access('is_coorganizer', event_id=kwargs['event_id']): raise ForbiddenException({'source': ''}, "Co-Organizer Access Required")
def is_user_itself(view, view_args, view_kwargs, *args, **kwargs): """ Allows admin and super admin access to any resource irrespective of id. Otherwise the user can only access his/her resource. """ user = current_identity if not user.is_admin and str(user.id) != str(kwargs['user_id']): raise ForbiddenException('Access Forbidden', {'source': 'user_id'}) return True
def before_create_object(self, data, view_kwargs): """ before create object method for OrderListPost Class :param data: :param view_kwargs: :return: """ free_ticket_quantity = 0 for ticket_holder in data['ticket_holders']: # Ensuring that the attendee exists and doesn't have an associated order. try: ticket_holder_object = self.session.query(TicketHolder).filter_by(id=int(ticket_holder), deleted_at=None).one() if ticket_holder_object.order_id: raise ConflictException({'pointer': '/data/relationships/attendees'}, "Order already exists for attendee with id {}".format(str(ticket_holder))) except NoResultFound: raise ConflictException({'pointer': '/data/relationships/attendees'}, "Attendee with id {} does not exists".format(str(ticket_holder))) if ticket_holder_object.ticket.type == 'free': free_ticket_quantity += 1 if not current_user.is_verified and free_ticket_quantity == len(data['ticket_holders']): raise ForbiddenException( {'pointer': '/data/relationships/user', 'code': 'unverified-user'}, "Unverified user cannot place free orders" ) if data.get('cancel_note'): del data['cancel_note'] if data.get('payment_mode') != 'free' and not data.get('amount'): raise ConflictException({'pointer': '/data/attributes/amount'}, "Amount cannot be null for a paid order") if not data.get('amount'): data['amount'] = 0 # Apply discount only if the user is not event admin if data.get('discount_code') and not has_access('is_coorganizer', event_id=data['event']): discount_code = safe_query_without_soft_deleted_entries(self, DiscountCode, 'id', data['discount_code'], 'discount_code_id') if not discount_code.is_active: raise UnprocessableEntity({'source': 'discount_code_id'}, "Inactive Discount Code") else: now = pytz.utc.localize(datetime.utcnow()) valid_from = discount_code.valid_from valid_till = discount_code.valid_till if not (valid_from <= now <= valid_till): raise UnprocessableEntity({'source': 'discount_code_id'}, "Inactive Discount Code") if not TicketingManager.match_discount_quantity(discount_code, None, data['ticket_holders']): raise UnprocessableEntity({'source': 'discount_code_id'}, 'Discount Usage Exceeded') if discount_code.event.id != int(data['event']): raise UnprocessableEntity({'source': 'discount_code_id'}, "Invalid Discount Code")